Bump node-forge package version#76699
Merged
jportner merged 1 commit intoelastic:masterfrom Sep 4, 2020
Merged
Conversation
We have a direct dependency on node-forge `0.9.1`, and a also a transitive dependency via: @elastic/request-crypto@1.1.4 > node-jose@1.1.0 > node-forge@0.7.6 This commit updates both of these to `0.10.0`.
Contributor
Author
|
Note: I did a manual smoke test by running Kibana and parsing a PKCS12 keystore, which is what we use |
Contributor
💚 Build SucceededBuild metricsasync chunks size
page load bundle size
oss distributable file count
distributable file count
To update your PR or re-run it, just comment with: |
watson
approved these changes
Sep 4, 2020
This was referenced Sep 4, 2020
jportner
added a commit
to jportner/kibana
that referenced
this pull request
Sep 4, 2020
jportner
commented
Sep 4, 2020
Comment on lines
-20594
to
+20597
| node-forge@^0.7.6: | ||
| version "0.7.6" | ||
| resolved "https://registry.yarnpkg.com/node-forge/-/node-forge-0.7.6.tgz#fdf3b418aee1f94f0ef642cd63486c77ca9724ac" | ||
| integrity sha512-sol30LUpz1jQFBjOKwbjxijiE3b6pjd74YwfD0fJOKPjF+fONKb2Yg8rYgS6+bK6VDl+/wfr4IYpC7jDzLUIfw== | ||
|
|
||
| node-forge@^0.9.1: | ||
| version "0.9.1" | ||
| resolved "https://registry.yarnpkg.com/node-forge/-/node-forge-0.9.1.tgz#775368e6846558ab6676858a4d8c6e8d16c677b5" | ||
| integrity sha512-G6RlQt5Sb4GMBzXvhfkeFmbqR6MzhtnT7VTHuLadjkii3rdYHNdw0m8zA4BTxVIh68FicCQ2NSUANpsqkr9jvQ== | ||
| node-forge@^0.10.0, node-forge@^0.7.6: | ||
| version "0.10.0" | ||
| resolved "https://registry.yarnpkg.com/node-forge/-/node-forge-0.10.0.tgz#32dea2afb3e9926f02ee5ce8794902691a676bf3" | ||
| integrity sha512-PPmu8eEeG9saEUvI97fm4OYxXVB6bFvyNTyiUOBichBpFG8A1Ljw3bY62+5oOjDEMHRnd0Y7HQ+x7uzxOzC6JA== |
Contributor
Author
There was a problem hiding this comment.
I forgot to mention before the review, but just for posterity:
There are no breaking changes between 0.7.6 and 0.9.1. In addition, node-jose's usage of node-forge did not include any of the vulnerable methods that were removed in 0.10.0. Finally, I followed node-jose's commit history (its master branch is using a newer version of node-forge); all of their updates to node-forge did not require any code updates. So that's how I deemed it was safe to force this to resolve to 0.10.0.
jportner
added a commit
that referenced
this pull request
Sep 4, 2020
jportner
added a commit
that referenced
this pull request
Sep 4, 2020
gmmorris
added a commit
to gmmorris/kibana
that referenced
this pull request
Sep 4, 2020
* master: (47 commits) Do not require id & description when creating a logstash pipeline (elastic#76616) Remove commented src/core/tsconfig file (elastic#76792) Replaced whitelistedHosts with allowedHosts in actions ascii docs (elastic#76731) [Dashboard First] Genericize Attribute Service (elastic#76057) [ci-metrics] unify distributable file count metrics (elastic#76448) [Security Solution][Detections] Handle conflicts on alert status update (elastic#75492) [eslint] convert to @typescript-eslint/no-unused-expressions (elastic#76471) [DOCS] Add default time range filter to advanced settings (elastic#76414) [Security Solution] Refactor NetworkTopNFlow to use Search Strategy (elastic#76249) [Dashboard] Update Index Patterns when Child Index Patterns Change (elastic#76356) [ML] Add option to Advanced Settings to set default time range filter for AD jobs (elastic#76347) Add CSM app to CODEOWNERS (elastic#76793) [Security Solution][Exceptions] - Updates exception item find sort field (elastic#76685) [Security Solution][Detections][Tech Debt] - Move to using common io-ts types (elastic#75009) [Lens] Drag dimension to replace (elastic#75895) URI encode the index names we fetch in the fetchIndices lib function. (elastic#76584) [Security Solution] Resolver retrieve entity id of documents without field mapped (elastic#76562) [Ingest Manager] validate agent route using AJV instead kbn-config-schema (elastic#76546) Updated non-dev usages of node-forge (elastic#76699) [Ingest Pipelines] Processor forms for processors K-S (elastic#75638) ...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
We have a direct dependency on node-forge
0.9.1, and a also a transitive dependency via:This commit updates both of these to
0.10.0.Note: we still have a transitive dev dependency on node-forge
0.9.0; that package is out of date so I opted not to try to bump the version.