Menu
I've recently started a new Vue.js project. After my most recent GitHub commit, I received the following Dependabot notice:
Known high severity security vulnerability detected in node-forge < 0.10.0 defined in package-lock.json. package-lock.json update suggested: node-forge ~> 0.10.0.
How do I go about updating node-forge? I've run npm audit fix.
node-forge is only in my package-lock.json file and is required by "selfsigned" dependency.
558
A Vulnerability In an NPM Package Could Allow for Remote Code Execution. You need to enable JavaScript to run this app.
You could try
npm update
This should update all packages to the latest version, respecting the semantic versioning rules in your package.json / package-lock.json.
You can also try allowing Dependabot to generate a pull request to fix the issue. If you select the alert itself you should see a button like so:
This will attempt to create a pull request (this won't always succeed) and will take a few minutes usually. Once this is complete you can review and merge.
76
[email protected] needs to be updated to node-forge@^0.10.0
rm -rf node-modules
rm package.lock
npm cache clean
npm i
rm -rf node_modules
rm yarn.lock
yarn cache clean
yarn
This should cause the library that's using node-forge to update its own dependencies.
43
In case npm update doesn't resolve it, I fixed it by deleting package-lock.json & node_modules, then running npm install to recreate both.
I expect this is a quick-and-dirty fix & may not be ideal for team development, but this is a high severity security flaw that's over 3 weeks old & needs to be addressed. Be sure to run git diff on package-lock.json & verify it didn't update anything it shouldn't have.
For me, Dependabot didn't create a PR as it usually does, as the flaw was in node-forge 0.9.0 and the patch was in 0.10.0, which selfsigned considered a breaking change. npm audit didn't find any vulnerability, & npm update made several updates, but didn't update node-forge to 0.10.0, nor selfsigned to 1.10.8 (which updates its node-forge version reference). I was using webpack-dev-server 3.11.0 which depends on selfsigned ^1.10.7. After recreating package-lock.json, the webpack-dev-server reference was unchanged, but selfsigned & node-forge versions were updated, which is exactly what I wanted.
40
answered Oct 28 '22 00:10
Try: npm i node-forge@latest
You can try the above command if the npm update and removing node_modules and package-lock.json. It updated node-forge to the latest version for me.
1
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
