Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

High node-forge security vulnerability

See original GitHub issue

🐛 bug report

node-forge < 0.10.0 has a high severity security vulnerability

🎛 Configuration (.babelrc, package.json, cli command)

package.json:

{
  "dependencies": {
     "parcel": "^1.12.4"
  }
}

🤔 Expected Behavior

No audit failures

😯 Current Behavior

Running npm install and then npm audit gives the following output:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution in node-forge                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ node-forge                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >= 0.10.0                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ parcel                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ parcel > node-forge                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1561                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 746 scanned packages
  1 vulnerability requires manual review. See the full report for details.

💁 Possible Solution

Upgrade to node-forge >= 0.10.0

🌍 Your Environment

Software	Version(s)
Parcel	1.12.4
Node	12.16.1
npm/Yarn	`npm` 6.14…8
Operating System	MacOS

Issue Analytics

State:
Created 3 years ago
Reactions:6
Comments:17 (5 by maintainers)

Top GitHub Comments

11reactions

torotilcommented, Nov 7, 2020

The CI for Parcel 1 is very broken, so a PR wouldn’t really help a lot unfortunately. We kinda messed up when trying to merge Parcel 1 and Parcel 2 into one branch.

Is it correct that this means Parcel 1 is no longer supported?

10reactions

mmikhalkocommented, Nov 25, 2020

Please provide the fix for v1

Top Results From Across the Web

node-forge - Snyk Vulnerability Database

version published direct vulnerabilities 1.3.1 29 Mar, 2022 0. C. 0. H. 0. M. 0. L 1.3.0 17 Mar, 2022 0. C. 0. H. 0....

Vulnerability detected in node-forge - Stack Overflow

I've recently started a new Vue.js project. After my most recent GitHub commit, I received the following Dependabot notice: Known high severity ...

npm audit security vulnerability in node-forge #407 - GitHub

Npm audit indicates a vulnerability in the node-forge dependency. === npm audit security report === │ High │ Prototype Pollution in node-forge ......

Security Bulletin: A security vulnerability in Node.js node-forge ... - IBM

A security vulnerability in Node.js node-forge affects IBM Cloud Automation Manager. CVE(s): CVE-2022-24772 ... Categorized: High Severity. Share this post:.

CVE-2022-24771 Detail - NVD

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, ...