Closed augjoh closed 2 years ago
node-forge is a fallback mechanism for older Node.js versions that do not support the modulusLength
key object property. So whatever vulnerability node-forge might have, it is not relevant with mailauth at all, as node-forge is only used to calculate modulus length for public keys in Node.js versions older than 15.7.0. Once there is something changed in mailauth itself I'll also upgrade all the dependencies. It's too bothersome to run the build pipeline (mailauth release includes a signed cli executable etc) just to upgrade one dependency that changes nothing.
@andris9: Thanks for looking into this issue. Please let me emphasize, that this issue is a pain-in-the-arm for us. Our continuous integration (CI) has a step where npm audit
is called. This automation cannot determine, if the reported security vulnerability can be triggered or not. It simply fails. This breaks our development process, and each CI pipeline has to be inspected manually, if a failure is the non-critical mailautth or a new security vulnerability. Our scheduled builds fail because of this issue. So this is really bothersome for us.
Please have another look here. Perhaps it is possible to release the library more often than the signed cli executable or release the binary in a different (automated) way.
@andris9 With v3.0.0 (https://github.com/postalsys/mailauth/commit/d00d2922a26b768dafad38509abb18762452b4a4) you've dropped support for node 14. Could you remove the node-forge
dependency now?
Removed node-forge
Describe the bug
The used
node-forge
package has a security vulnerability. While the code in question may not be triggered bymailauth
, the vulnerable module breaks out CI/CD process. Please upgradenode-forge
:What are your problems replacing
node-forge
withwebcrypto
completely?