Windows MSI Installer for Node/npm (LTS) uses vulnerable/obsolete security certificate hash, SHA1 #4522
Comments
|
@Trott do you want to move this one, doesn't seem like the right repo |
I'm not sure if the right repo would be the build repo or the release repo or the main node repo, but once I figure that out, I'll move it. That's assuming this isn't a case of "Hey, don't report security issues in a public repo. Please follow the https://github.com/nodejs/node/blob/HEAD/SECURITY.md#security (which is what the 'Security' link in the header nav on the site points to)." |
|
@CalculonPrime please feel free to follow the security guide mentioned by @Trott about how to report security issues. Closing this one, Thanks! |
|
This probably does the trick: nodejs/node#47206 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
SHA1 is vulnerable, as reported years ago by Google and other security researchers. Collisions can be generated in the real world. You need to move to SHA256/SHA512.
The text was updated successfully, but these errors were encountered: