Skip to content
This repository has been archived by the owner on May 3, 2023. It is now read-only.

Bump node-forge and heroku #38

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Dec 2, 2022

Bumps node-forge to 1.3.0 and updates ancestor dependency heroku. These dependencies need to be updated together.

Updates node-forge from 0.7.5 to 1.3.0

Changelog

Sourced from node-forge's changelog.

1.3.0 - 2022-03-17

Security

  • Three RSA PKCS#1 v1.5 signature verification issues were reported by Moosa Yahyazadeh (moosa-yahyazadeh@uiowa.edu).
  • HIGH: Leniency in checking digestAlgorithm structure can lead to signature forgery.
  • HIGH: Failing to check tailing garbage bytes can lead to signature forgery.
  • MEDIUM: Leniency in checking type octet.
    • DigestInfo is not properly checked for proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.
    • CVE ID: CVE-2022-24773
    • GHSA ID: GHSA-2r2c-g63r-vccr

Fixed

  • [asn1] Add fallback to pretty print invalid UTF8 data.
  • [asn1] fromDer is now more strict and will default to ensuring all input bytes are parsed or throw an error. A new option parseAllBytes can disable this behavior.
    • NOTE: The previous behavior is being changed since it can lead to security issues with crafted inputs. It is possible that code doing custom DER parsing may need to adapt to this new behavior and optional flag.
  • [rsa] Add and use a validator to check for proper structure of parsed ASN.1 RSASSA-PKCS-v1_5 DigestInfo data. Additionally check that the hash algorithm identifier is a known value from RFC 8017 PKCS1-v1-5DigestAlgorithms. An invalid DigestInfo or algorithm identifier will now throw an error.
    • NOTE: The previous lenient behavior is being changed to be more strict since it could lead to security issues with crafted inputs. It is possible that code may have to handle the errors from these stricter checks.

... (truncated)

Commits

Updates heroku from 7.59.2 to 7.67.1

Release notes

Sourced from heroku's releases.

v7.67.1

  • 307fd9657 chore(run): update example for heroku run: use a dyno type that make sense (#2064)

v7.67.0

  • 0f52326c0 feat(cli): remove references to free (#2145)
  • aad2046cc docs: update cli readme (#2152)
  • d8b95c0d4 chore(deps): bump lodash from 4.17.20 to 4.17.21 (#1805)

v7.66.4

  • 2ecf425ed fix(ci): set HEROKU_AUTHOR (#2140)

v7.66.3

  • 7abf71b4e fix(ci): fix release key path (#2135)
  • bd32cdcee fix: debian builds to run in ci round 2 (#2132)
  • d532ced9b fix(ci): set AWS_EC2_METADATA_DISABLED to true (#2131)
  • 8f8062261 fix: debian builds (#2128)
  • 7e9349ee0 chore(ci): replace circle env vars with gha env vars (#2129)

v7.66.2

  • 6df32a5d2 fix: comment out signed deb steps (#2125)

v7.66.1

  • 9e7d9d2f0 Comment out pack_deb (#2123)

v7.66.0

  • df403732e chore(ps-v5): update heroku ps plans pre nov 28 (#2118)
  • e03af8af5 chore(deps): bump follow-redirects from 1.13.0 to 1.15.1 (#2031)
  • 821ecf9f6 chore: update ci (#2083)
  • 55e7f033c chore(ci): added github actions ci (#2078)
  • 39746e268 (tag: v7.65.0) v7.65.0 (#2079)

v7.65.0

  • 7153817fa feat(pg-v5): Support pg mini plans (#2072)

v7.64.0

  • 7ae31bbc9 chore(cli): bump @​heroku-cli/plugin-ps-exec (#2066)

v7.63.4

  • cb9e62dd1 Remove githead (#2062)
  • 64f999cc4 v7.63.3 (#2061)
  • 96049f667 Remove oclif.manifest.json files (#2058)
  • a63a272cb Revert "migrate to github workflows for tests & releases (#2036)" (#2059)
  • 2e11ed73d release v7.63.2 (#2056)
  • 7a78c0ec6 fix: use a different outliers query for new pg versions (#2051)
  • b9c5a6a93 v7.63.1 (#2055)
  • 776761066 remove ssl-endpoint references (#2054)
  • 83ca78cef migrate to github workflows for tests & releases (#2036)

v7.63.0

  • 0608f5e17 feat(pg-v5): accept a list of extensions to pre-install for pg:backups:restore and pg:reset (#2043)

... (truncated)

Changelog

Sourced from heroku's changelog.

7.67.1 (2022-11-30)

Note: Version bump only for package heroku

7.67.0 (2022-11-29)

Note: Version bump only for package heroku

7.66.4 (2022-11-16)

Note: Version bump only for package heroku

7.66.3 (2022-11-14)

Bug Fixes

7.66.2 (2022-11-10)

Note: Version bump only for package heroku

7.66.1 (2022-11-09)

Note: Version bump only for package heroku

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by 7ftz, a new releaser for heroku since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [node-forge](https://github.com/digitalbazaar/forge) to 1.3.0 and updates ancestor dependency [heroku](https://github.com/heroku/cli). These dependencies need to be updated together.


Updates `node-forge` from 0.7.5 to 1.3.0
- [Release notes](https://github.com/digitalbazaar/forge/releases)
- [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md)
- [Commits](digitalbazaar/forge@0.7.5...v1.3.0)

Updates `heroku` from 7.59.2 to 7.67.1
- [Release notes](https://github.com/heroku/cli/releases)
- [Changelog](https://github.com/heroku/cli/blob/master/CHANGELOG.md)
- [Commits](heroku/cli@v7.59.2...v7.67.1)

---
updated-dependencies:
- dependency-name: node-forge
  dependency-type: indirect
- dependency-name: heroku
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Dec 2, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

0 participants