Skip to content

Bump node-forge to 1.4.0 & @types/node-forge to address CVEs#5738

Merged
iclanton merged 2 commits intomicrosoft:mainfrom
cmalonzo:node-forge/1.4.0
Apr 1, 2026
Merged

Bump node-forge to 1.4.0 & @types/node-forge to address CVEs#5738
iclanton merged 2 commits intomicrosoft:mainfrom
cmalonzo:node-forge/1.4.0

Conversation

@cmalonzo
Copy link
Copy Markdown
Contributor

@cmalonzo cmalonzo commented Mar 31, 2026
edited
Loading

Addresses 4 CVEs:

Smoke testing

  1. Run smoke test:
node -e "
  const { CertificateManager } = require('./lib-commonjs/index.js');
  const cm = new CertificateManager();
  cm.ensureCertificateAsync(true, undefined, { skipCertificateTrust: true })
    .then(cert => {
      console.log('CA cert length:', cert.pemCaCertificate?.length);
      console.log('TLS cert length:', cert.pemCertificate?.length);
      console.log('Key length:', cert.pemKey?.length);
      console.log('Subject alt names:', cert.subjectAltNames);
      console.log('SUCCESS');
    })
    .catch(err => { console.error('FAIL:', err.message); process.exit(1); });
  "
  1. See successful outputs:
CA cert length: 1418
TLS cert length: 1336
Key length: 1702
Subject alt names: [ 'localhost', '127.0.0.1' ]
SUCCESS

@github-project-automation github-project-automation bot moved this to Needs triage in Bug Triage Mar 31, 2026
iclanton
iclanton reviewed Apr 1, 2026
View reviewed changes
@iclanton
Copy link
Copy Markdown
Member

iclanton commented Apr 1, 2026

How was this tested?

@cmalonzo
Copy link
Copy Markdown
Contributor Author

cmalonzo commented Apr 1, 2026

How was this tested?

Updating the description

@cmalonzo @claude
Fix @types/node-forge 1.3.14 type incompatibility in CertificateManager
1c76040 
Upgrade @types/node-forge from 1.0.4 to 1.3.14 to match the node-forge 1.4.0
bump. The newer types widen pki.PrivateKey to pki.rsa.PrivateKey | Buffer, so
cast to pki.rsa.PrivateKey at the two certificate.sign() call sites — safe
since both keys come from forge.pki.rsa.generateKeyPair().

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@cmalonzo cmalonzo changed the title Bump node-forge to 1.4.0 to address CVEs Bump node-forge to 1.4.0 & @types/node-forge to address CVEs Apr 1, 2026
@iclanton iclanton merged commit 1504c2c into microsoft:main Apr 1, 2026
6 checks passed
@github-project-automation github-project-automation bot moved this from Needs triage to Closed in Bug Triage Apr 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@iclanton iclanton iclanton approved these changes

@octogonz octogonz Awaiting requested review from octogonz octogonz is a code owner

@apostolisms apostolisms Awaiting requested review from apostolisms apostolisms is a code owner

@dmichon-msft dmichon-msft Awaiting requested review from dmichon-msft dmichon-msft is a code owner

@jxanthony jxanthony Awaiting requested review from jxanthony jxanthony is a code owner

@bmiddha bmiddha Awaiting requested review from bmiddha bmiddha is a code owner

Assignees

No one assigned

Labels

None yet

Projects

Bug Triage
Status: Closed

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cmalonzo @iclanton