Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

npm audit security vulnerability in node-forge

See original GitHub issue

Npm audit indicates a vulnerability in the node-forge dependency.

 === npm audit security report ===                        
│ High          │ Prototype Pollution in node-forge                            │
│ Package       │ node-forge                                                   │
│ Patched in    │ >= 0.10.0                                                    │
│ Dependency of │ actions-on-google                                            │
│ Path          │ actions-on-google > googleapis > googleapis-common >         │
│               │ google-auth-library > gtoken > google-p12-pem > node-forge   │
│ More info     │ https://npmjs.com/advisories/1561

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:18
  • Comments:10 (4 by maintainers)

github_iconTop GitHub Comments

6reactions
proppycommented, Apr 28, 2021

@digitaltoast https://github.com/actions-on-google/assistant-conversation-nodejs is used for conversation action using Action Builder with the new Action SDK, while this repository is still relevant for Smart Home actions.

Looks like the vulnerability in this repository would require a major version upgrade for the google-auth-library:

-    "google-auth-library": "^1.6.1",
+    "google-auth-library": "^7.0.4",

while would in turn transitively change the node engine requirements from:

  "engines": {
    "node": ">=6.13.0"
  },

to:

  "engines": {
    "node": ">=10"
  },

This seems like a reasonable change to me since both Node.js 6 and 8 are not actively supported anymore by the Node.js project: https://nodejs.org/en/about/releases/, but would require a major version bump of the library itself.

4reactions
tommybluhmcommented, Feb 2, 2021

Is there any update on this? Please fix the security issues!

Read more comments on GitHub >

github_iconTop Results From Across the Web

Vulnerability detected in node-forge - Stack Overflow
I've run npm audit fix. node-forge is only in my package-lock.json file and is required by "selfsigned" dependency. node ...
Read more >
Fixing security vulnerabilities in npm dependencies in less ...
2.1) To fix any dependency, you need to first know which npm package depends on that. npm audit. This will tell you the...
Read more >
node-forge - Snyk Vulnerability Database
version published direct vulnerabilities 1.3.1 29 Mar, 2022 0. C. 0. H. 0. M. 0. L 1.3.0 17 Mar, 2022 0. C. 0. H. 0....
Read more >
Auditing package dependencies for security vulnerabilities
A security audit is an assessment of package dependencies for security vulnerabilities. Security audits help you protect your package's users by enabling ...
Read more >
NPM Audit: How to Scan Packages for Security Vulnerabilities
Node Package Manager (npm) is a popular utility that allows JavaScript developers to create, use, reuse, manage, and share small pieces of ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

npm audit has been reporting vulnerabilities since at least October 2020, please can we update dependencies?

Next page

TypeError: Cannot read property 'stack' of undefined for Action on google node module