Parcel: Security vulnerability on the module node-forge

Created on 2 Oct 2020 · 5Comments · Source: parcel-bundler/parcel

🐛 bug report

There is a security vulnerability on the module node-forge.
Here is the link of the information about the vulnerability:
https://www.npmjs.com/advisories/1561

🤔 Expected Behavior

No security vulnerabilities when you execute npm audit

😯 Current Behavior

There is a security vulnerability when you execute npm audit

Here is he terminal message:

                       === npm audit security report ===                        


                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             

          Visit https://go.npm.me/audit-guide for additional guidance           


  High            Prototype Pollution in node-forge                             

  Package         node-forge                                                    

  Patched in      >= 0.10.0                                                     

  Dependency of   parcel [dev]                                                  

  Path            parcel > node-forge                                           

  More info       https://npmjs.com/advisories/1561

💁 Possible Solution

Execute an npm audit fix will solve the issue

🔦 Context

I'm a developer using this npm package and it affect my app.

Source

jcawe

👍4

Most helpful comment

I also came across this issue. The latest stable version looks to be v1.12.4 which depends on v0.7.6 of node-forge.
The next version that resolves the vulnerability and references v0.10.0 of node-forge is v2.0.0-beta.1.

mohameddahrouj on 2 Oct 2020

👍2 👎1

All 5 comments

I can see after clone it, that maybe the problem is that is not published the latest version on NPM?
Because after clone it I see no audit issues in the terminal.

jcawe on 2 Oct 2020