NPM audit found 1 high severity vulnerability - Prototype Pollution in node-forge

[Drag13]

NPM audit found 1 high severity vulnerability - Prototype Pollution in node-forge

Sorry to say, but the npm audit found one more security vulnerability in the react-scripts v 3.4.3

Run  npm update selfsigned --depth 3  to resolve 1 vulnerability

  High            Prototype Pollution in node-forge                             

  Package         node-forge                                                    

  Dependency of   react-scripts                                                 

  Path            react-scripts > webpack-dev-server > selfsigned > node-forge  

  More info       https://npmjs.com/advisories/1561     

This is probably a false positive report, but it fails CI/CD as far as it has high severity and existed in non-dev dependencies.

Steps to reproduce:

npx create-react-app demo-app
npm audit

[cjcurrie]

I got four similar warnings for node-forge from firebase-tools in
firebase-tools > @google-cloud/pubsub > google-auth-library > gtoken > google-p12-pem > node-forge

[Drag13]

@cjcurrie
Node-forge has more than 11_000_000 downloads per week and more than 1_000 dependent projects.
A huge amount of people will see this warning 💯

[KiranManaguli-git1]

i have also got same issue and its failing my pipeline in azure devops. how to resolve this.....

[Drag13]

@KiranManaguli-git1

For Azure Devop, as a temporary solution, you can make npm audit optional with continueOnError set to true:

[kinothUI]

create-react-app@latest -> webpack-dev-server@3.11.0 -> selfsigned@1.10.7 -> node-forge@0.9.0
webpack/webpack-dev-server#2755

Hope this is resolved soonish

[bentong95923]

I had followed the instruction by npm and ran "npm update selfsigned --depth 3" and it resolves. Is this step correct or am I not supposed to run it?

[gaearon]

This is indeed a false positive. It is resolved upstream so there is nothing for us to do here. If you see this, regenerate your lockfile.