janitor icon indicating copy to clipboard operation
janitor copied to clipboard
verified publisher icon JanitorTechnology

fix(deps): update dependency node-forge to v1 - abandoned

Open renovate[bot] opened this issue 3 years ago • 2 comments

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
node-forge 0.10.0 -> 1.3.1 age adoption passing confidence

Release Notes

digitalbazaar/forge

v1.3.1

Compare Source

Fixes
  • RFC 3447 and RFC 8017 allow for optional DigestAlgorithm NULL parameters for sha* algorithms and require NULL paramters for md2 and md5 algorithms.

v1.3.0

Compare Source

Security
Fixed
  • [asn1] Add fallback to pretty print invalid UTF8 data.
  • [asn1] fromDer is now more strict and will default to ensuring all input bytes are parsed or throw an error. A new option parseAllBytes can disable this behavior.
    • NOTE: The previous behavior is being changed since it can lead to security issues with crafted inputs. It is possible that code doing custom DER parsing may need to adapt to this new behavior and optional flag.
  • [rsa] Add and use a validator to check for proper structure of parsed ASN.1 RSASSA-PKCS-v1_5 DigestInfo data. Additionally check that the hash algorithm identifier is a known value from RFC 8017 PKCS1-v1-5DigestAlgorithms. An invalid DigestInfo or algorithm identifier will now throw an error.
    • NOTE: The previous lenient behavior is being changed to be more strict since it could lead to security issues with crafted inputs. It is possible that code may have to handle the errors from these stricter checks.
Added
  • [oid] Added missing RFC 8017 PKCS1-v1-5DigestAlgorithms algorithm identifiers:
    • 1.2.840.113549.2.2 / md2
    • 2.16.840.1.101.3.4.2.4 / sha224
    • 2.16.840.1.101.3.4.2.5 / sha512-224
    • 2.16.840.1.101.3.4.2.6 / sha512-256

v1.2.1

Compare Source

Fixed
  • [tests]: Load entire module to improve top-level testing and coverage reporting.
  • [log]: Refactor logging setup to avoid use of URLSearchParams.

v1.2.0

Compare Source

Fixed
  • [x509] 'Expected' and 'Actual' issuers were backwards in verification failure message.
Added
  • [oid,x509]: Added OID 1.3.14.3.2.29 / sha1WithRSASignature for sha1 with RSA. Considered a deprecated equivalent to 1.2.840.113549.1.1.5 / sha1WithRSAEncryption. See discussion and links.
Changed
  • [x509]: Reduce duplicate code. Add helper function to create a signature digest given an signature algorithm OID. Add helper function to verify signatures.

v1.1.0

Compare Source

Fixed
  • [x509]: Correctly compute certificate issuer and subject hashes to match behavior of openssl.
  • [pem]: Accept certificate requests with "NEW" in the label. "BEGIN NEW CERTIFICATE REQUEST" handled as "BEGIN CERTIFICATE REQUEST".

v1.0.0

Compare Source

Notes
  • 1.0.0!
  • This project is over a decade old! Time for a 1.0.0 release.
  • The URL related changes may expose bugs in some of the networking related code (unrelated to the much wider used cryptography code). The automated and manual test coverage for this code is weak at best. Issues or patches to update the code or tests would be appreciated.
Removed
  • SECURITY, BREAKING: Remove forge.debug API. The API has the potential for prototype pollution. This API was only briefly used by the maintainers for internal project debug purposes and was never intended to be used with untrusted user inputs. This API was not documented or advertised and is being removed rather than fixed.
  • SECURITY, BREAKING: Remove forge.util.parseUrl() (and forge.http.parseUrl alias) and use the WHATWG URL Standard. URL is supported by modern browers and modern Node.js. This change is needed to address URL parsing security issues. If forge.util.parseUrl() is used directly or through forge.xhr or forge.http APIs, and support is needed for environments without URL support, then a polyfill must be used.
  • BREAKING: Remove forge.task API. This API was never used, documented, or advertised by the maintainers. If anyone was using this API and wishes to continue development it in other project, please let the maintainers know. Due to use in the test suite, a modified version is located in tests/support/.
  • BREAKING: Remove forge.util.makeLink, forge.util.makeRequest, forge.util.parseFragment, forge.util.getQueryVariables. Replace with URL, URLSearchParams, and custom code as needed.
Changed
  • BREAKING: Increase supported Node.js version to 6.13.0 for URL support.
  • BREAKING: Renamed master branch to main.
  • BREAKING: Release process updated to use tooling that prefixes versions with v. Other tools, scripts, or scanners may need to adapt.
  • BREAKING: Remove docs related to Bower and forge-dist. Install using another method.
Added
  • OIDs for surname, title, and givenName.
Fixed
  • BREAKING: OID 2.5.4.5 name fixed from serialName to serialNumber. Depending on how applications used this id to name association it could cause compatibility issues.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • [ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

renovate[bot] avatar Mar 26 '22 13:03 renovate[bot]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

renovate[bot] avatar Mar 24 '23 23:03 renovate[bot]