Skip to content

Bump the prod-dependencies group across 1 directory with 2 updates#1647

Open
dependabot[bot] wants to merge 2 commits intomainfrom
dependabot/npm_and_yarn/prod-dependencies-4be7bffcfe
Open

Bump the prod-dependencies group across 1 directory with 2 updates#1647
dependabot[bot] wants to merge 2 commits intomainfrom
dependabot/npm_and_yarn/prod-dependencies-4be7bffcfe

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 29, 2026

Bumps the prod-dependencies group with 2 updates in the / directory: dockerode and node-forge.

Updates dockerode from 4.0.9 to 4.0.10

Release notes

Sourced from dockerode's releases.

v4.0.10

What's Changed

New Contributors

Full Changelog: apocas/dockerode@v4.0.9...v4.0.10

Commits
  • bd0e27a fix: refine hijack option handling in attach method
  • 4e671af fix: update stdin handling in attach method and bump dependencies to version ...
  • 7d91490 Merge pull request #825 from apocas/dependabot/npm_and_yarn/minimatch-5.1.9
  • 7435e03 Merge pull request #824 from davidgamero/buildkit-progress
  • 70a3b41 Bump minimatch from 5.1.6 to 5.1.9
  • 3f9ec66 add comment to proto file
  • 811d9b7 feat: followProgress BuildKit support
  • 5d4b860 Merge pull request #823 from parishahla/fix/update-docker-api-links
  • acc5096 fix(readme): update docker api links
  • b58b941 Merge pull request #820 from apocas/dependabot/npm_and_yarn/js-yaml-4.1.1
  • Additional commits viewable in compare view

Updates node-forge from 1.3.3 to 1.4.0

Changelog

Sourced from node-forge's changelog.

1.4.0 - 2026-03-24

Security

  • HIGH: Denial of Service in BigInteger.modInverse()
    • A Denial of Service (DoS) vulnerability exists due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU.
    • Reported by Kr0emer.
    • CVE ID: CVE-2026-33891
    • GHSA ID: GHSA-5gfm-wpxj-wjgq
  • HIGH: Signature forgery in RSA-PKCS due to ASN.1 extra field.
    • RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing "garbage" bytes within the ASN.1 structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN.1 structure, rather than outside of it.
    • Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries.
    • Reported as part of a U.C. Berkeley security research project by:
      • Austin Chu, Sohee Kim, and Corban Villa.
    • CVE ID: CVE-2026-33894
    • GHSA ID: GHSA-ppp5-5v6c-4jwp
  • HIGH: Signature forgery in Ed25519 due to missing S < L check.
    • Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (S >= L). A valid signature and its S + L variant both verify in forge, while Node.js crypto.verify (OpenSSL-backed) rejects the S + L variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed.
    • Reported as part of a U.C. Berkeley security research project by:
      • Austin Chu, Sohee Kim, and Corban Villa.
    • CVE ID: CVE-2026-33895
    • GHSA ID: GHSA-q67f-28xg-22rw
  • HIGH: basicConstraints bypass in certificate chain verification.
    • pki.verifyCertificateChain() does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid.
    • Reported by Doruk Tan Ozturk (@​peaktwilight) - doruk.ch
    • CVE ID: CVE-2026-33896
    • GHSA ID: GHSA-2328-f5f3-gj25

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the prod-dependencies group across 1 directory with 2 updates
be90870 
Bumps the prod-dependencies group with 2 updates in the / directory: [dockerode](https://github.com/apocas/dockerode) and [node-forge](https://github.com/digitalbazaar/forge).


Updates `dockerode` from 4.0.9 to 4.0.10
- [Release notes](https://github.com/apocas/dockerode/releases)
- [Commits](apocas/dockerode@v4.0.9...v4.0.10)

Updates `node-forge` from 1.3.3 to 1.4.0
- [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md)
- [Commits](digitalbazaar/forge@v1.3.3...v1.4.0)

---
updated-dependencies:
- dependency-name: dockerode
  dependency-version: 4.0.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-dependencies
- dependency-name: node-forge
  dependency-version: 1.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file Fanout javascript Pull requests that update Javascript code labels Mar 29, 2026
@dependabot dependabot bot requested a review from a team as a code owner March 29, 2026 22:03
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code Fanout labels Mar 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file Fanout javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants