Being a dependabot here, node-forge is making so many vulnerabilities including cryptography

[hskang9]

• Version:
  Every recent js-libp2p published version

• Platform:
  in all platform

• Subsystem:
  in all subsystem

Severity:

From low to High

Description:

• What you did
  I was auditing my oracle / p2p client and ran yarn audit in this repo https://github.com/digitalnativeinc/lumen
• What happened
  I got audit report from this one node-forge package creating every problem from low to high
• What you expected to happen
  no audit result from node-forge

node-forge updated to >=1.3.0

Steps to reproduce the error:

clone this repo and run yarn audit

[hskang9]

@achingbrain please update node-forge like #1133

[achingbrain]

The node-forge version libp2p depends on is ^1.2.1, which means you'll get 1.3.1 when you do an npm install libp2p. Are you seeing something different?

[hskang9]

I still get this audit message after running npm install libp2p in the monorepo or inside p2p package.

node-forge  <=1.2.1
Severity: high
Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
Improper Verification of Cryptographic Signature in `node-forge` - https://github.com/advisories/GHSA-2r2c-g63r-vccr
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-x4jg-mjrx-434g
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-cfm4-qjh2-4765
URL parsing in node-forge could lead to undesired behavior. - https://github.com/advisories/GHSA-gf8q-jrpm-jvxq
No fix available
node_modules/node-forge
  libp2p  0.15.2 - 0.35.9-rc.2
  Depends on vulnerable versions of libp2p-crypto
  Depends on vulnerable versions of libp2p-interfaces
  Depends on vulnerable versions of node-forge
  Depends on vulnerable versions of peer-id
  node_modules/libp2p-relay-server/node_modules/libp2p
    libp2p-relay-server  *
    Depends on vulnerable versions of libp2p
    Depends on vulnerable versions of libp2p-gossipsub
    Depends on vulnerable versions of libp2p-noise
    Depends on vulnerable versions of libp2p-pubsub-peer-discovery
    Depends on vulnerable versions of peer-id
    node_modules/libp2p-relay-server
  libp2p-crypto  <=0.6.1 || 0.12.0 - 0.21.1
  Depends on vulnerable versions of node-forge
  node_modules/libp2p-crypto
  node_modules/libp2p-noise/node_modules/peer-id/node_modules/libp2p-crypto
  node_modules/libp2p-relay-server/node_modules/libp2p-interfaces/node_modules/libp2p-crypto
  node_modules/libp2p-relay-server/node_modules/peer-id/node_modules/libp2p-crypto
    libp2p-interfaces  <=1.3.1
    Depends on vulnerable versions of libp2p-crypto
    Depends on vulnerable versions of peer-id
    node_modules/libp2p-relay-server/node_modules/libp2p-interfaces
      libp2p-gossipsub  <=0.11.5
      Depends on vulnerable versions of libp2p-interfaces
      Depends on vulnerable versions of peer-id
      node_modules/libp2p-relay-server/node_modules/libp2p-gossipsub
    libp2p-noise  *
    Depends on vulnerable versions of libp2p-crypto
    Depends on vulnerable versions of peer-id
    node_modules/libp2p-noise
    peer-id  0.7.0 || 0.10.5 - 0.15.4
    Depends on vulnerable versions of libp2p-crypto
    node_modules/libp2p-noise/node_modules/peer-id
    node_modules/libp2p-relay-server/node_modules/peer-id
    node_modules/peer-id
      libp2p-pubsub-peer-discovery  *
      Depends on vulnerable versions of peer-id
      node_modules/libp2p-pubsub-peer-discovery

[hskang9]

Can we just change the version to 1.3.1 in the package.json file you refer here?

[hskang9]

if node-forge version still does not change with ^, I think there might be other packages who fixes the version to 1.2.1

[achingbrain]

I think there might be other packages who fixes the version to 1.2.1

You can find this out by running npm ls node-forge and seeing which packages are pulling in which versions.

When I run it in a my-project directory that has had ipfs-core installed in it, I see:

% npm ls node-forge
my-project@1.0.0 /path/to/my-project
└─┬ ipfs-core@0.15.4
  ├─┬ @libp2p/crypto@0.22.14
  │ └── node-forge@1.3.1
  ├─┬ @libp2p/peer-id-factory@1.0.17
  │ └─┬ @libp2p/crypto@1.0.2
  │   └── node-forge@1.3.1 deduped
  └─┬ libp2p@0.37.3
    └── node-forge@1.3.1 deduped

So node-forge@1.3.1 is installed as expected.

Can we just change the version to 1.3.1 in the package.json

PRs are gratefully accepted. Though this should not be necessary as it an in-range semver update.