Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update dependency node-forge to version 0.10.0 馃専 #8800

Merged
merged 1 commit into from Oct 9, 2020

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 9, 2020

This PR contains the following updates:

Package Type Update Change
node-forge dependencies minor 0.9.0 -> 0.10.0

GitHub Vulnerability Alerts

CVE-2020-7720

The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.


Release Notes

digitalbazaar/forge

v0.10.0

Compare Source

Changed
  • BREAKING: Node.js 4 no longer supported. The code may still work, and
    non-invasive patches to keep it working will be considered. However, more
    modern tools no longer support old Node.js versions making testing difficult.
Removed
  • BREAKING: Remove util.getPath, util.setPath, and util.deletePath.
    util.setPath had a potential prototype pollution security issue when used
    with unsafe inputs. These functions are not used by forge itself. They date
    from an early time when forge was targeted at providing general helper
    functions. The library direction changed to be more focused on cryptography.
    Many other excellent libraries are more suitable for general utilities. If
    you need a replacement for these functions, consier get, set, and unset
    from lodash. But also consider the potential similar
    security issues with those APIs.

v0.9.2

Compare Source

Changed
  • Added util.setPath security note to function docs and to README.
Notes
  • SECURITY: The util.setPath function has the potential to cause
    prototype pollution if used with unsafe input.
  • This function is not used internally by forge.
  • The rest of the library is unaffected by this issue.
  • Do not use unsafe input with this function.
  • Usage with known input should function as expected. (Including input
    intentionally using potentially problematic keys.)
  • No code changes will be made to address this issue in 0.9.x. The current
    behavior could be considered a feature rather than a security issue.
    0.10.0 will be released that removes util.getPath and util.setPath.
    Consider get and set from lodash if you need
    replacements. But also consider the potential similar security issues with
    those APIs.
  • https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7720

v0.9.1

Compare Source

Fixed
  • Ensure DES-CBC given IV is long enough for block size.

Renovate configuration

馃搮 Schedule: "" in timezone America/New_York.

馃殾 Automerge: Disabled by config. Please merge this manually once you are satisfied.

鈾伙笍 Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

馃敃 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate renovate bot added renovate Triggered by renovatebot type: dependencies labels Oct 9, 2020
@cypress-bot
Copy link
Contributor

cypress-bot bot commented Oct 9, 2020

See the guidelines for reviewing dependency updates for info on how to review dependency update PRs.

@cypress
Copy link

cypress bot commented Oct 9, 2020



Test summary

8602 0 124 3


Run details

Project cypress
Status Passed
Commit 936cb05
Started Oct 9, 2020 9:11 AM
Ended Oct 9, 2020 9:23 AM
Duration 11:48 馃挕
OS Linux Debian - 10.2
Browser Multiple

View run in Cypress Dashboard 鉃★笍


This comment has been generated by cypress-bot as a result of this project's GitHub integration settings. You can manage this integration in this project's settings in the Cypress Dashboard

Copy link
Member

@jennifer-shehane jennifer-shehane left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few breaking changes - dropping Node.js 4 and removing some util functions that I don't see us using.

@jennifer-shehane jennifer-shehane merged commit 675265a into develop Oct 9, 2020
@renovate renovate bot deleted the renovate/npm-node-forge-vulnerability branch October 9, 2020 11:08
@cypress-bot
Copy link
Contributor

cypress-bot bot commented Oct 14, 2020

Released in 5.4.0.

This comment thread has been locked. If you are still experiencing this issue after upgrading to
Cypress v5.4.0, please open a new issue.

@cypress-bot cypress-bot bot locked as resolved and limited conversation to collaborators Oct 14, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
renovate Triggered by renovatebot type: dependencies
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants