Issue with deep dependency node-forge
caveen1999 opened this issue · comments
caveen1999 commented
We are using passport-wsfed-saml2 package of version 4.1.0. passport-wsfed-saml2 has deep dependency node-forge of version ^0.7.0.
The dependency tree is like below:
`-- passport-wsfed-saml2@4.1.0
`-- xml-encryption@0.12.0 (github:auth0/node-xml-encryption#3571b587847fb8e0867870d2c2bfcaa0521b45dc)
`-- node-forge@0.7.6
The node-forge@0.7.6 has high-risk security vulnerability CVE-2020-7720. (https://nvd.nist.gov/vuln/detail/CVE-2020-7720). These vulnerabilities are fixed in the 0.10.0 version of node-forge.
So updating the xml-encryption package would resolve these vulnerabilities. Please update the package to resolve vulnerabilities.Thanks.
Rafael M. commented
Adding CVE-2022-0122 of peer-dependency node-forge@^0.10.0
to this issue, please update dependency to v1.0.0
.