Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Security problem with `node-forge`

See original GitHub issue

GitHub Security Advisory reports that node-forge 0.9.0, which is an indirect dependency of webpack-dev-server 3.11.0 has a high severity problem: https://github.com/advisories/GHSA-92xj-mqp7-vmcj

Webpack Dev Server uses that package through a package called selfsigned, which tracks this problem here: https://github.com/jfromaniello/selfsigned/issues/41

Issue Analytics

State:
Created 3 years ago
Comments:17 (6 by maintainers)

Top GitHub Comments

5reactions

ilam-natarajancommented, Sep 19, 2020

an alternative to manually editing yarn.lock file was,

add below to package.json

"resolutions": {
    "webpack-dev-server/**/selfsigned": "^1.10.8"
  }

yarn install . This modifies yarn.lock
git restore package.json
yarn install . This again modifies yarn.lock
commit yarn.lock change

2reactions

jrochkindcommented, Sep 18, 2020

@khhhum webpack-dev-server already allows the updated selfsigned and node-forge, a webpack-dev-server release isn’t required to use those updated dependencies.

But it can be confusing to figure out how to update ‘indirect’ dependencies like this, and the tooling can be surprisingly unhelpful.

If you are using yarn, the best way i have found is to open up the yarn.lock manually, and delete the lines for selfsigned and node-forge, and then run yarn install. It will insert the (new) latest allowable releases of selfsigned and node-forge into your yarn.lock, and you have updated your dependencies, no need for a webpack-dev-server release. See this blog post and this yarn issue. I remain surprised yarn doesn’t support a way of upgrading indirect dependencies less manually.

If you are using npm straight without yarn or other alternatives, I’m not certain the approach, but there should be one that does not require a webpack-dev-server release. If dependencies had to be re-released every time there was a new release of any of their own dependencies, that would be messy!

Top Results From Across the Web

node-forge - Snyk Vulnerability Database

version published direct vulnerabilities 1.3.1 29 Mar, 2022 0. C. 0. H. 0. M. 0. L 1.3.0 17 Mar, 2022 0. C. 0. H. 0....

Security vulnerability on the module node-forge #5204 - GitHub

I'm a developer using this npm package and it affect my app. At least yarn audit fix does not solve the problem for...

A security vulnerability in Node.js node-forge module affects ...

DESCRIPTION: Node.js node-forge module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in...

Insecure Cryptography Vulnerability in the node-forge library ...

node-forge improperly verifies cryptographic signatures. The vulnerability exists through improper verification of DigestInfo in the `rsa.js` file allowing ...

New Year, New CVE: A Deep Dive Into the 'node-forge' (CVE ...

With over 16 Million weekly downloads, the important and widely-used "node-forge" component on npm implements key security functions, ...