Issue with deep dependency node-forge

Question

Issue with deep dependency node-forge

caveen1999 opened this issue 4 years ago · comments

caveen1999 commented 4 years ago

We are using passport-wsfed-saml2 package of version 4.1.0. passport-wsfed-saml2 has deep dependency node-forge of version ^0.7.0.
The dependency tree is like below:

`-- passport-wsfed-saml2@4.1.0
  `-- xml-encryption@0.12.0 (github:auth0/node-xml-encryption#3571b587847fb8e0867870d2c2bfcaa0521b45dc)
    `-- node-forge@0.7.6

The node-forge@0.7.6 has high-risk security vulnerability CVE-2020-7720. (https://nvd.nist.gov/vuln/detail/CVE-2020-7720). These vulnerabilities are fixed in the 0.10.0 version of node-forge.

So updating the xml-encryption package would resolve these vulnerabilities. Please update the package to resolve vulnerabilities.Thanks.

Rafael M. · Answer 1 · Wed Mar 02 2022 22:31:12 GMT+0800 (China Standard Time)

Adding CVE-2022-0122 of peer-dependency node-forge@^0.10.0 to this issue, please update dependency to v1.0.0.