⬆️ Bump node-forge and heroku

[dependabot[bot]]

Bumps node-forge to 1.3.0 and updates ancestor dependency heroku. These dependencies need to be updated together.

Updates node-forge from 0.6.47 to 1.3.0

Changelog

Sourced from node-forge's changelog.

1.3.0 - 2022-03-17

Security

• Three RSA PKCS#1 v1.5 signature verification issues were reported by Moosa Yahyazadeh (moosa-yahyazadeh@uiowa.edu).
• HIGH: Leniency in checking digestAlgorithm structure can lead to signature forgery.
  • The code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. For more information, please see "Bleichenbacher's RSA signature forgery based on implementation error" by Hal Finney.
  • CVE ID: CVE-2022-24771
  • GHSA ID: GHSA-cfm4-qjh2-4765
• HIGH: Failing to check tailing garbage bytes can lead to signature forgery.
  • The code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. For more information, please see "Bleichenbacher's RSA signature forgery based on implementation error" by Hal Finney.
  • CVE ID: CVE-2022-24772
  • GHSA ID: GHSA-x4jg-mjrx-434g
• MEDIUM: Leniency in checking type octet.
  • DigestInfo is not properly checked for proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.
  • CVE ID: CVE-2022-24773
  • GHSA ID: GHSA-2r2c-g63r-vccr

Fixed

• [asn1] Add fallback to pretty print invalid UTF8 data.
• [asn1] fromDer is now more strict and will default to ensuring all input bytes are parsed or throw an error. A new option parseAllBytes can disable this behavior.
  • NOTE: The previous behavior is being changed since it can lead to security issues with crafted inputs. It is possible that code doing custom DER parsing may need to adapt to this new behavior and optional flag.
• [rsa] Add and use a validator to check for proper structure of parsed ASN.1 RSASSA-PKCS-v1_5 DigestInfo data. Additionally check that the hash algorithm identifier is a known value from RFC 8017 PKCS1-v1-5DigestAlgorithms. An invalid DigestInfo or algorithm identifier will now throw an error.
  • NOTE: The previous lenient behavior is being changed to be more strict since it could lead to security issues with crafted inputs. It is possible that code may have to handle the errors from these stricter checks.

... (truncated)

Commits

• 6c5b901 Release 1.3.0.
• 0f3972a Update changelog.
• dc77b39 Fix error checking.
• bb822c0 Add advisory links.
• d4395fe Update changelog.
• a4405bb Improve signature verification tests.
• aa9372d Add missing RFC 8017 algorithm identifiers.
• 3f0b49a Fix signature verification issues.
• c20f309 Adjust remaining length.
• e27f612 Remove unused option.
• Additional commits viewable in compare view

Updates heroku from 7.0.60 to 7.69.1

Release notes

Sourced from heroku's releases.

v7.69.1

• 49d3689c1 chore(cli): bump version of warn if update available plugin and update prerelease functionality (#2265)
• 70791fab7 chore: add ability to release from prerelease branches (#2258)
• c65cdb076 release v7.69.0 (#2263)
• 88ff4d74b feat(local): change default starting port (#2261)
• 5908cbe53 chore: remove windows acceptance test run (#2262)
• bff246fe7 release v7.68.3 (#2260)
• 27b755376 fix(redis-v5): CLI to log Shogun upgrade response (#2255)
• f6cb67bd5 refactor: revert oclif upgrade (#2256)
• da77f9c64 fix: ensure correct exit code in acceptance tests failures (#2252)
• 2257adda8 fix: add node 14 to unit tests in CI. (#2254)
• bde592495 patch: bump version of oclif/plugin-warn-if-update-available (#2253)
• 781b770d7 fix(oauth-v5): re-add authorizations:revoke to commands (#2250)
• be9d3f478 refactor: re-implement oclif core migration (#2244)
• 77006d1fb release v7.68.2 (#2247)
• f4282bc7f chore: fix snyk workflow (#2248)
• 98d2abab0 fix: downgrade ubuntu from latest to one that uses a compression method debian supports (#2246)
• 9aa4339a4 release v7.68.1 (#2242)
• 818ec3499 Fixes app name returned from particleboard (#2002)
• e70f7669a v7.68.0 (#2236)
• 1affd1914 feat(apps-v5): add fleet to dyno list as extended attribute (#2220)
• 0955a24d6 fix: revert to v7.67.2 (#2235)

v7.69.1-beta.0

No release notes provided.

v7.69.0

• 88ff4d74b feat(local): change default starting port (#2261)
• 5908cbe53 chore: remove windows acceptance test run (#2262)
• bff246fe7 release v7.68.3 (#2260)
• 27b755376 fix(redis-v5): CLI to log Shogun upgrade response (#2255)
• f6cb67bd5 refactor: revert oclif upgrade (#2256)
• da77f9c64 fix: ensure correct exit code in acceptance tests failures (#2252)
• 2257adda8 fix: add node 14 to unit tests in CI. (#2254)
• bde592495 patch: bump version of oclif/plugin-warn-if-update-available (#2253)
• 781b770d7 fix(oauth-v5): re-add authorizations:revoke to commands (#2250)
• be9d3f478 refactor: re-implement oclif core migration (#2244)
• 77006d1fb release v7.68.2 (#2247)
• f4282bc7f chore: fix snyk workflow (#2248)
• 98d2abab0 fix: downgrade ubuntu from latest to one that uses a compression method debian supports (#2246)
• 9aa4339a4 release v7.68.1 (#2242)
• 818ec3499 Fixes app name returned from particleboard (#2002)
• e70f7669a v7.68.0 (#2236)
• 1affd1914 feat(apps-v5): add fleet to dyno list as extended attribute (#2220)
• 0955a24d6 fix: revert to v7.67.2 (#2235)

v7.68.3

• 27b755376 fix(redis-v5): CLI to log Shogun upgrade response (#2255)
• f6cb67bd5 refactor: revert oclif upgrade (#2256)
• da77f9c64 fix: ensure correct exit code in acceptance tests failures (#2252)

... (truncated)

Changelog

Sourced from heroku's changelog.

7.69.1 (2023-03-09)

Note: Version bump only for package heroku

7.69.0 (2023-03-07)

Note: Version bump only for package heroku

7.68.3 (2023-03-06)

Bug Fixes

• add node 14 to unit tests in CI. (#2254) (2257add)

7.68.2 (2023-02-21)

Note: Version bump only for package heroku

7.68.1 (2023-02-14)

Note: Version bump only for package heroku

7.68.0 (2023-02-06)

Bug Fixes

• revert to v7.67.2 (#2235) (0955a24), closes #2231 #2230 #2229 #2228 #2227 #2225 #2144 #2216 #2207 #2212 #2212

... (truncated)

Commits

• 7edc021 v7.69.1 (#2266)
• 49d3689 chore(cli): bump version of warn if update available plugin and update prerel...
• 70791fa chore: add ability to release from prerelease branches (#2258)
• c65cdb0 release v7.69.0 (#2263)
• 88ff4d7 feat(local): change default starting port (#2261)
• 5908cbe chore: remove windows acceptance test run (#2262)
• bff246f release v7.68.3 (#2260)
• 27b7553 fix(redis-v5): CLI to log Shogun upgrade response (#2255)
• f6cb67b refactor: revert oclif upgrade (#2256)
• da77f9c fix: ensure correct exit code in acceptance tests failures (#2252)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by k80bowman, a new releaser for heroku since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/vovs03/instaphoto/network/alerts).