deepkit-framework icon indicating copy to clipboard operation
deepkit-framework copied to clipboard

Published 20 hours ago verified publisher icon deepkit

Upgrade vulnerable package selfsigned

Open pbasista opened this issue 2 years ago • 0 comments

After installing @deepkit/framework:

$ npm audit
# npm audit report

node-forge  <=1.2.1
Severity: high
Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
Improper Verification of Cryptographic Signature in `node-forge` - https://github.com/advisories/GHSA-2r2c-g63r-vccr
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-x4jg-mjrx-434g
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-cfm4-qjh2-4765
URL parsing in node-forge could lead to undesired behavior. - https://github.com/advisories/GHSA-gf8q-jrpm-jvxq

The report also mentions that @deepkit/framework depends on vulnerable versions of selfsigned (1.1.1 - 1.10.14) which in turn depend on vulnerable versions of node-forge (<=1.2.1).

It seems that a simple way to resolve this issue would be to upgrade the selfsigned library to its latest version 2.1.1.

pbasista avatar Sep 12 '22 08:09 pbasista