search

oven-sh / bun

Incredibly fast JavaScript runtime, bundler, test runner, and package manager – all in one
https://bun.sh
Other
74.36k stars 2.78k forks source link

Support `--security-revert` equivalent from Node.js #14770

Open wenerme opened 1 month ago

wenerme commented 1 month ago

What version of Bun is running?

1.1.32+fe8d0079e

What platform is your computer?

Linux 6.10.11-orbstack-00280-g1304bd068592 x86_64 unknown

What steps can reproduce the bug?

Like this https://github.com/orgs/vercel/discussions/6630 , but bun --security-revert=CVE-2023-46809 run ... still not works. seems there is no workaround, have to downgrade bun.

What is the expected behavior?

bun --security-revert=CVE-2023-46809 works like node

What do you see instead?

513 |   randomKey?: string | Buffer;
514 |   privateKey?: string;
515 |   encrypted: string;
516 | }) {
517 |   if (!decryptKey && randomKey && privateKey) {
518 |     decryptKey = crypto.privateDecrypt(
                              ^
TypeError: RSA_PKCS1_PADDING is no longe

Additional information

Last woring is Bun 1.1.27

Electroid commented 1 month ago

Bun does not have support for --security-revert, this would be something we need to take a look at.

wenerme commented 1 month ago

BTW, node 22 is --security-revert=CVE-2024-PEND