Addressing node-forge vulnerabilities #19636

ste-curran · 2026-02-04T12:02:39Z

ste-curran
Feb 4, 2026

Hi,

I am proposing to resolve CVEs GHSA-554w-wpv2-vw27 and GHSA-5gfm-wpxj-wjgq which relate to node-forge, a transitive dependency of listhen.
I could resolve the node-forge vulnerabilities by using an override of that dependency as there is no newer version of listhen. But I have two questions:
1 - Do vulnerabilities relating to a transitive dependency of listhen need to be updated? listhen is only used for testing.
2 - Would an override of node-forge be acceptable as a resolution approach if update is necessary?

"pnpm": {
    "overrides": {
         "node-forge": "^1.3.2"
    }
}

Thanks!

Answered by yajatkaul

Feb 6, 2026

No, not strictly required. Very unlikely
Overriding is a totally acceptable and a common approach, it is widely used

View full answer

yajatkaul · 2026-02-06T14:07:48Z

yajatkaul
Feb 6, 2026

No, not strictly required. Very unlikely
Overriding is a totally acceptable and a common approach, it is widely used

1 reply

ste-curran Feb 6, 2026
Author

Thanks @yajatkaul

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Addressing node-forge vulnerabilities #19636

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

Addressing node-forge vulnerabilities #19636

Uh oh!

Uh oh!

ste-curran Feb 4, 2026

Replies: 1 comment · 1 reply

Uh oh!

Uh oh!

yajatkaul Feb 6, 2026

Uh oh!

ste-curran Feb 6, 2026 Author

ste-curran
Feb 4, 2026

Replies: 1 comment 1 reply

yajatkaul
Feb 6, 2026

ste-curran Feb 6, 2026
Author