Fix vulnerabilities (CVE-2022-24771, CVE-2022-24772, CVE-2022-24773)

jfromaniello / selfsigned

Generate self-signed certificates from node.js

MIT License

237 stars 53 forks source link

Fix vulnerabilities (CVE-2022-24771, CVE-2022-24772, CVE-2022-24773) #55

Closed jungdaniel closed 2 years ago

jungdaniel commented 2 years ago

node-forge@1.2.0 seems to contain vulnerabilities.

More details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773

Issues were addressed in node-forge@1.3.0.

jfromaniello commented 2 years ago

This library depends on ^1.2 which means all 1s. This change is not necessary I think

» npm i selfsigned --save

added 2 packages, and audited 3 packages in 1s

found 0 vulnerabilities

» cat package-lock.json | jq '.packages."node_modules/node-forge".version'
"1.3.0"

jfromaniello commented 2 years ago

Anyway, I just updated the package-lock.json and removed the .2 from the package.json