nodejs.org icon indicating copy to clipboard operation
nodejs.org copied to clipboard
verified publisher icon nodejs

Windows MSI Installer for Node/npm (LTS) uses vulnerable/obsolete security certificate hash, SHA1

Open CalculonPrime opened this issue 3 years ago • 2 comments

SHA1 is vulnerable, as reported years ago by Google and other security researchers. Collisions can be generated in the real world. You need to move to SHA256/SHA512.

CalculonPrime avatar Mar 31 '22 14:03 CalculonPrime

@Trott do you want to move this one, doesn't seem like the right repo

nschonni avatar Mar 31 '22 14:03 nschonni

@Trott do you want to move this one, doesn't seem like the right repo

I'm not sure if the right repo would be the build repo or the release repo or the main node repo, but once I figure that out, I'll move it. That's assuming this isn't a case of "Hey, don't report security issues in a public repo. Please follow the https://github.com/nodejs/node/blob/HEAD/SECURITY.md#security (which is what the 'Security' link in the header nav on the site points to)."

Trott avatar Apr 01 '22 00:04 Trott

@CalculonPrime please feel free to follow the security guide mentioned by @Trott about how to report security issues.

Closing this one, Thanks!

ovflowd avatar Mar 21 '23 21:03 ovflowd

This probably does the trick: https://github.com/nodejs/node/pull/47206

tniessen avatar Mar 21 '23 22:03 tniessen