Skip to content

Commit 1504c2c

Browse files
cmalonzoclaude
andauthored
Bump node-forge to 1.4.0 & @types/node-forge to address CVEs (#5738)
* Bump node-forge to 1.4.0 to address CVEs GHSA-2328-f5f3-gj25, GHSA-q67f-28xg-22rw, GHSA-5m6q-g25r-mvwx, GHSA-ppp5-5v6c-4jwp * Fix @types/node-forge 1.3.14 type incompatibility in CertificateManager Upgrade @types/node-forge from 1.0.4 to 1.3.14 to match the node-forge 1.4.0 bump. The newer types widen pki.PrivateKey to pki.rsa.PrivateKey | Buffer, so cast to pki.rsa.PrivateKey at the two certificate.sign() call sites — safe since both keys come from forge.pki.rsa.generateKeyPair(). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Camille Malonzo <cmalonzo@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
1 parent 49dc367 commit 1504c2c

7 files changed

Lines changed: 30 additions & 27 deletions

File tree

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
{
2+
"changes": [
3+
{
4+
"packageName": "@rushstack/debug-certificate-manager",
5+
"comment": "Bump node-forge to 1.4.0 to address CVEs GHSA-2328-f5f3-gj25, GHSA-q67f-28xg-22rw, GHSA-5m6q-g25r-mvwx, GHSA-ppp5-5v6c-4jwp\"",
6+
"type": "patch"
7+
}
8+
],
9+
"packageName": "@rushstack/debug-certificate-manager"
10+
}

common/config/subspaces/build-tests-subspace/pnpm-lock.yaml

Lines changed: 5 additions & 5 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
// DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush.
22
{
3-
"pnpmShrinkwrapHash": "306357c78efe97f545fc0681fdb84d17f79bbbb2",
3+
"pnpmShrinkwrapHash": "b521001fa31a13e992f9979b1292951aa6452daa",
44
"preferredVersionsHash": "550b4cee0bef4e97db6c6aad726df5149d20e7d9",
5-
"packageJsonInjectedDependenciesHash": "0750dcefdccb64160667c86a2af1ba7854f159e2"
5+
"packageJsonInjectedDependenciesHash": "a9488da9faaa4bc0166edfe82f2177d7a68e4cb1"
66
}

common/config/subspaces/default/pnpm-lock.yaml

Lines changed: 8 additions & 15 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
// DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush.
22
{
3-
"pnpmShrinkwrapHash": "958d2b2f4a0d7c66f79432acbee97ea344254ed6",
3+
"pnpmShrinkwrapHash": "e23050723096714a6ca776a9d1b1f3d558cdb2fd",
44
"preferredVersionsHash": "029c99bd6e65c5e1f25e2848340509811ff9753c"
55
}

libraries/debug-certificate-manager/package.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -40,11 +40,11 @@
4040
"dependencies": {
4141
"@rushstack/node-core-library": "workspace:*",
4242
"@rushstack/terminal": "workspace:*",
43-
"node-forge": "~1.3.1"
43+
"node-forge": "~1.4.0"
4444
},
4545
"devDependencies": {
4646
"@rushstack/heft": "workspace:*",
47-
"@types/node-forge": "1.0.4",
47+
"@types/node-forge": "1.3.14",
4848
"eslint": "~9.37.0",
4949
"local-node-rig": "workspace:*"
5050
},

libraries/debug-certificate-manager/src/CertificateManager.ts

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -380,7 +380,7 @@ export class CertificateManager {
380380
]);
381381

382382
// self-sign certificate
383-
certificate.sign(keys.privateKey, forge.md.sha256.create());
383+
certificate.sign(keys.privateKey as pki.rsa.PrivateKey, forge.md.sha256.create());
384384

385385
return {
386386
certificate,
@@ -475,7 +475,7 @@ export class CertificateManager {
475475
]);
476476

477477
// Sign certificate with CA
478-
certificate.sign(caPrivateKey, forge.md.sha256.create());
478+
certificate.sign(caPrivateKey as pki.rsa.PrivateKey, forge.md.sha256.create());
479479

480480
// convert a Forge certificate to PEM
481481
const caPem: string = forge.pki.certificateToPem(caCertificate);

0 commit comments

Comments
 (0)