Skip to content
This repository has been archived by the owner on Oct 21, 2024. It is now read-only.

Upgrade node-forge to 0.10.0 - in 2.0.4 release #297

Closed
kidplug opened this issue Oct 2, 2020 · 14 comments
Closed

Upgrade node-forge to 0.10.0 - in 2.0.4 release #297

kidplug opened this issue Oct 2, 2020 · 14 comments
Assignees
@bcoe @sofisl
Labels
type: process A process-related concern. May include testing, release, or the like.

Comments

@kidplug
Copy link

kidplug commented Oct 2, 2020

In light of new advisory:

High │ Prototype Pollution in node-forge
https://npmjs.com/advisories/1561
@kidplug
Copy link
Author

kidplug commented Oct 2, 2020

Current package.json:

  "dependencies": {
    "node-forge": "^0.9.0"
  },

Semantic versioning for major "0" ignores the caret ^ :(

@kidplug kidplug mentioned this issue Oct 2, 2020
Merged
1 task
@yoshi-automation yoshi-automation added the triage me I really want to be triaged. label Oct 3, 2020
@sofisl sofisl removed the triage me I really want to be triaged. label Oct 5, 2020
@sofisl sofisl closed this as completed Oct 5, 2020
@kidplug
Copy link
Author

kidplug commented Oct 5, 2020

Closed, won't do?

@sofisl sofisl reopened this Oct 5, 2020
@sofisl
Copy link
Contributor

sofisl commented Oct 5, 2020

I'm sorry, premature close! I was confused by the PR earlier.

@sofisl sofisl added priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. labels Oct 5, 2020
stephenplusplus added a commit to googleapis/node-gtoken that referenced this issue Oct 6, 2020
@stephenplusplus
fix(deps): upgrade google-p12-pem
fe6ca89 
Includes the fix googleapis/google-p12-pem#297
@stephenplusplus stephenplusplus mentioned this issue Oct 6, 2020
Merged
@kidplug
Copy link
Author

kidplug commented Oct 6, 2020

This doesn't fix the issue in the [email protected] release

@stephenplusplus
Copy link

My PR unintentionally closed this issue. I don't know if we want to go back and address this in the 2.0.0 release-- are you unable to upgrade to ^3.0?

@kidplug
Copy link
Author

kidplug commented Oct 6, 2020

We'd prefer to not upgrade all these libs at this time.
The dependency tree is this:

└─┬ @google-cloud/[email protected]
  └─┬ @google-cloud/[email protected]
    └─┬ [email protected]
      └─┬ [email protected]
        └─┬ [email protected]
          └── [email protected]

As far as I can tell, 3.6.0 is still a "current" release of google cloud speech; likewise for all the other packages shown.
The only package in that last which is not a "current" release is node-forge.

I would expect any "current" releases to apply dependency upgrades when a "HIGH" npm advisory is issued:
High │ Prototype Pollution in node-forge
https://npmjs.com/advisories/1561

@stephenplusplus
Copy link

stephenplusplus commented Oct 6, 2020
edited
Loading

I'm currently working through a similar tree here: googleapis/nodejs-logging#904 (comment). Eventually, Speech (the ^4.x releases) will get a new release once the others are updated.

cc @bcoe @JustinBeckwith for the concerns regarding the release process.

@stephenplusplus
Copy link

@kidplug Going back in a previous release line to make the fix is possible, but ideally, you could upgrade to make sure you're protected going forward. Is there anything we can do to help the upgrade process? Did the change to speech@4 involve any breaking changes that are difficult to include in your app/environment?

@bcoe bcoe mentioned this issue Oct 6, 2020
Closed
stephenplusplus added a commit to googleapis/nodejs-logging that referenced this issue Oct 6, 2020
@stephenplusplus
fix(deps): upgrade @google-cloud/common
8678fbf 
Addresses a potential prototype pollution leak: googleapis/google-p12-pem#297, https://github.com/digitalbazaar/forge/blob/588c41062d9a13f8dc91be3723b159c6cc434b15/CHANGELOG.md
@stephenplusplus stephenplusplus mentioned this issue Oct 6, 2020
Merged
@kidplug
Copy link
Author

kidplug commented Oct 6, 2020

I'll try the google speech v4 upgrade. Initially testing seems fine.

stephenplusplus added a commit to googleapis/nodejs-logging that referenced this issue Oct 6, 2020
@stephenplusplus
fix(deps): upgrade @google-cloud/common (#905)
228864b 
Addresses a potential prototype pollution leak: googleapis/google-p12-pem#297, https://github.com/digitalbazaar/forge/blob/588c41062d9a13f8dc91be3723b159c6cc434b15/CHANGELOG.md
@bcoe
Copy link
Contributor

bcoe commented Oct 7, 2020

@kidplug did the upgrade go okay for you? I'm debating today whether or not we need to back-port fixes to the 5.x version of auth.

@kidplug
Copy link
Author

kidplug commented Oct 7, 2020

Yes, our application ran fine on the upgraded speech library. Planning to commit the upgrade in our upcoming release.

@staadecker
Copy link

@bcoe I would personally would really enjoy a back-port fix to at least 2.0.2 since the firebase-tools package depends on 2.0.2 and isn't able to update to the latest version (see here, they don't want to drop support to Node 8). A back-port to versions 2.0.2 and 2.0.4 would resolve the issue. firebase-tools has over 1 million monthly downloads.

Thank you!

@yoshi-automation yoshi-automation added 🚨 This issue needs some love. and removed 🚨 This issue needs some love. labels Feb 10, 2021
@sofisl sofisl removed the priority: p2 Moderately-important priority. Fix may not be included in next release. label Mar 31, 2021
@sofisl sofisl added type: process A process-related concern. May include testing, release, or the like. and removed type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. labels Mar 31, 2021
@sofisl
Copy link
Contributor

sofisl commented Mar 31, 2021

@bcoe, given that this would involve back-porting a fix, and that we are not currently (though we do plan to) provide ongoing support to these versions in the future, I'm relabeling this issue as a process. We can (eventually) try out Java's new tooling for these types of requests.

@chingor13 chingor13 mentioned this issue Jul 20, 2021
Merged
gcf-merge-on-green bot pushed a commit that referenced this issue Jul 20, 2021
@chingor13
fix(deps): update node-forge to 0.10.0 (#341)
201f9c3 
Fixes #297
Towards #337
@chingor13
Copy link
Contributor

Backported to v2.0.5 in #345

gcf-merge-on-green bot pushed a commit that referenced this issue Jul 20, 2021
@release-please
chore: release 2.0.5 (#345)
0db2445 
🤖 I have created a release \*beep\* \*boop\*
---
### [2.0.5](https://www.github.com/googleapis/google-p12-pem/compare/v2.0.4...v2.0.5) (2021-07-20)


### Bug Fixes

* **deps:** update node-forge to 0.10.0 ([#341](https://www.github.com/googleapis/google-p12-pem/issues/341)) ([201f9c3](https://www.github.com/googleapis/google-p12-pem/commit/201f9c3405a14633c35b99b1f14e3e89db6b6aae)), closes [#297](https://www.github.com/googleapis/google-p12-pem/issues/297) [#337](https://www.github.com/googleapis/google-p12-pem/issues/337)
---


This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@bcoe bcoe

@sofisl sofisl

Labels
type: process A process-related concern. May include testing, release, or the like.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@chingor13 @bcoe @stephenplusplus @kidplug @staadecker @yoshi-automation @sofisl