Bump node-forge to 1.4.0 & @types/node-forge to address CVEs (#5738)

* Bump node-forge to 1.4.0 to address CVEs
GHSA-2328-f5f3-gj25, GHSA-q67f-28xg-22rw, GHSA-5m6q-g25r-mvwx, GHSA-ppp5-5v6c-4jwp

* Fix @types/node-forge 1.3.14 type incompatibility in CertificateManager

Upgrade @types/node-forge from 1.0.4 to 1.3.14 to match the node-forge 1.4.0
bump. The newer types widen pki.PrivateKey to pki.rsa.PrivateKey | Buffer, so
cast to pki.rsa.PrivateKey at the two certificate.sign() call sites — safe
since both keys come from forge.pki.rsa.generateKeyPair().

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Camille Malonzo <cmalonzo@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: cmalonzo

common/changes/@rushstack/debug-certificate-manager/node-forge-1.4.0_2026-03-31-17-35.json

@@ -0,0 +1,10 @@
+{
+  "changes": [
+    {
+      "packageName": "@rushstack/debug-certificate-manager",
+      "comment": "Bump node-forge to 1.4.0 to address CVEs GHSA-2328-f5f3-gj25, GHSA-q67f-28xg-22rw, GHSA-5m6q-g25r-mvwx, GHSA-ppp5-5v6c-4jwp\"",
+      "type": "patch"
+    }
+  ],
+  "packageName": "@rushstack/debug-certificate-manager"
+}

common/config/subspaces/build-tests-subspace/pnpm-lock.yaml

@@ -1,6 +1,6 @@
 // DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush.
 {
-  "pnpmShrinkwrapHash": "306357c78efe97f545fc0681fdb84d17f79bbbb2",
+  "pnpmShrinkwrapHash": "b521001fa31a13e992f9979b1292951aa6452daa",
   "preferredVersionsHash": "550b4cee0bef4e97db6c6aad726df5149d20e7d9",
-  "packageJsonInjectedDependenciesHash": "0750dcefdccb64160667c86a2af1ba7854f159e2"
+  "packageJsonInjectedDependenciesHash": "a9488da9faaa4bc0166edfe82f2177d7a68e4cb1"
 }

common/config/subspaces/build-tests-subspace/repo-state.json

@@ -1,5 +1,5 @@
 // DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush.
 {
-  "pnpmShrinkwrapHash": "958d2b2f4a0d7c66f79432acbee97ea344254ed6",
+  "pnpmShrinkwrapHash": "e23050723096714a6ca776a9d1b1f3d558cdb2fd",
   "preferredVersionsHash": "029c99bd6e65c5e1f25e2848340509811ff9753c"
 }

common/config/subspaces/default/pnpm-lock.yaml

@@ -40,11 +40,11 @@
   "dependencies": {
     "@rushstack/node-core-library": "workspace:*",
     "@rushstack/terminal": "workspace:*",
-    "node-forge": "~1.3.1"
+    "node-forge": "~1.4.0"
   },
   "devDependencies": {
     "@rushstack/heft": "workspace:*",
-    "@types/node-forge": "1.0.4",
+    "@types/node-forge": "1.3.14",
     "eslint": "~9.37.0",
     "local-node-rig": "workspace:*"
   },

common/config/subspaces/default/repo-state.json

@@ -380,7 +380,7 @@ export class CertificateManager {
     ]);
 
     // self-sign certificate
-    certificate.sign(keys.privateKey, forge.md.sha256.create());
+    certificate.sign(keys.privateKey as pki.rsa.PrivateKey, forge.md.sha256.create());
 
     return {
       certificate,
@@ -475,7 +475,7 @@ export class CertificateManager {
     ]);
 
     // Sign certificate with CA
-    certificate.sign(caPrivateKey, forge.md.sha256.create());
+    certificate.sign(caPrivateKey as pki.rsa.PrivateKey, forge.md.sha256.create());
 
     // convert a Forge certificate to PEM
     const caPem: string = forge.pki.certificateToPem(caCertificate);