<p>I've recently started a new Vue.js project. After my most recent GitHub commit, I received the following Dependabot notice:</p> <blockquote> <p>Known high severity security vulnerability detected in node-forge < 0.10.0 defined in package-lock.json. package-lock.json update suggested: node-forge ~> 0.10.0.</p> </blockquote> <p>How do I go about updating node-forge? I've run npm audit fix.</p> <p>node-forge is only in my package-lock.json file and is required by "selfsigned" dependency.</p>

<h3>Causation:</h3> <p><code>node-forge@0.9.0</code> needs to be updated to <code>node-forge@^0.10.0</code></p> <h3>Solution (NPM)</h3> <p><code>rm -rf node-modules</code></p> <p><code>rm package.lock</code></p> <p><code>npm cache clean</code></p> <p><code>npm i</code></p> <h3>Solution (Yarn)</h3> <p><code>rm -rf node_modules</code></p> <p><code>rm yarn.lock</code></p> <p><code>yarn cache clean</code></p> <p><code>yarn</code></p> <h3>Explanation</h3> <p><strong>This should cause the library that's using <code>node-forge</code> to update its own dependencies.</strong></p>

<p>Try: <code>npm i node-forge@latest</code></p> <p>You can try the above command if the <code>npm update</code> and removing <code>node_modules</code> and <code>package-lock.json</code>. It updated node-forge to the latest version for me.</p>

Vulnerability detected in node-forge

I've recently started a new Vue.js project. After my most recent GitHub commit, I received the following Dependabot notice:

Known high severity security vulnerability detected in node-forge < 0.10.0 defined in package-lock.json. package-lock.json update suggested: node-forge ~> 0.10.0.

How do I go about updating node-forge? I've run npm audit fix.

node-forge is only in my package-lock.json file and is required by "selfsigned" dependency.

What is a vulnerability in npm?

A Vulnerability In an NPM Package Could Allow for Remote Code Execution. You need to enable JavaScript to run this app.

You could try

npm update

This should update all packages to the latest version, respecting the semantic versioning rules in your package.json / package-lock.json.

You can also try allowing Dependabot to generate a pull request to fix the issue. If you select the alert itself you should see a button like so:

Dependabot

This will attempt to create a pull request (this won't always succeed) and will take a few minutes usually. Once this is complete you can review and merge.

Causation:

[email protected] needs to be updated to node-forge@^0.10.0

Solution (NPM)

rm -rf node-modules

rm package.lock

npm cache clean

npm i

Solution (Yarn)

rm -rf node_modules

rm yarn.lock

yarn cache clean

yarn

Explanation

This should cause the library that's using node-forge to update its own dependencies.

In case npm update doesn't resolve it, I fixed it by deleting package-lock.json & node_modules, then running npm install to recreate both.

I expect this is a quick-and-dirty fix & may not be ideal for team development, but this is a high severity security flaw that's over 3 weeks old & needs to be addressed. Be sure to run git diff on package-lock.json & verify it didn't update anything it shouldn't have.

For me, Dependabot didn't create a PR as it usually does, as the flaw was in node-forge 0.9.0 and the patch was in 0.10.0, which selfsigned considered a breaking change. npm audit didn't find any vulnerability, & npm update made several updates, but didn't update node-forge to 0.10.0, nor selfsigned to 1.10.8 (which updates its node-forge version reference). I was using webpack-dev-server 3.11.0 which depends on selfsigned ^1.10.7. After recreating package-lock.json, the webpack-dev-server reference was unchanged, but selfsigned & node-forge versions were updated, which is exactly what I wanted.

Try: npm i node-forge@latest

You can try the above command if the npm update and removing node_modules and package-lock.json. It updated node-forge to the latest version for me.

Vulnerability detected in node-forge

Tags:

node.js

package.json

vue.js

Loren

People also ask

Video Answer