Dependency selfsigned old, creates transitive dependency on vulnerable node-forge

[benknoble]

Bug Description

There are newer versions of selfsigned available with updated (or even without!) node-forge. Please consider updating this package’s dependency so vulnerable node-forge versions don’t have to be overridden downstream.

Link to Minimal Reproduction and step to reproduce

You can easily see this by examining package-lock.json after installing the latest version of this package.

Expected Behavior

Vulnerable dependencies should be updated.

Actual Behavior

Vulnerable node-forge is installed.

Environment

macOS and linux; but it shouldn’t matter here.

Is this a regression?

None

Last Working Version

No response

Additional Context

No response

[VeerRaj-007]

Hi , I looked into this and confirmed that node-forge@1.3.3 is coming via selfsigned@2.4.1.

I see that newer versions of selfsigned (up to 5.2.0) are available and may depend on newer node-forge.

Before attempting a PR, I wanted to ask:

• Is bumping selfsigned to a newer major version acceptable here?
• Are there known compatibility concerns with webpack-dev-server’s HTTPS setup?

Happy to investigate and test this further if this approach sounds reasonable.

[benknoble]

Hi , I looked into this and confirmed that node-forge@1.3.3 is coming via selfsigned@2.4.1.

I see that newer versions of selfsigned (up to 5.2.0) are available and may depend on newer node-forge.

Before attempting a PR, I wanted to ask:

• Is bumping selfsigned to a newer major version acceptable here?
• Are there known compatibility concerns with webpack-dev-server’s HTTPS setup?

Happy to investigate and test this further if this approach sounds reasonable.

I can't speak to the questions you asked, but it is often easier to discuss something concrete. I would recommend opening the PR :)

[alexander-akait]

Fixed by #5618