From 1dbfda797a3f654ddcacb91ecd2d4e2883fdd92f Mon Sep 17 00:00:00 2001 From: Camille Malonzo Date: Tue, 31 Mar 2026 13:36:16 -0400 Subject: [PATCH 1/2] Bump node-forge to 1.4.0 to address CVEs GHSA-2328-f5f3-gj25, GHSA-q67f-28xg-22rw, GHSA-5m6q-g25r-mvwx, GHSA-ppp5-5v6c-4jwp --- .../node-forge-1.4.0_2026-03-31-17-35.json | 10 ++++++++++ .../subspaces/build-tests-subspace/pnpm-lock.yaml | 10 +++++----- .../subspaces/build-tests-subspace/repo-state.json | 4 ++-- common/config/subspaces/default/pnpm-lock.yaml | 12 ++++++------ common/config/subspaces/default/repo-state.json | 2 +- libraries/debug-certificate-manager/package.json | 2 +- 6 files changed, 25 insertions(+), 15 deletions(-) create mode 100644 common/changes/@rushstack/debug-certificate-manager/node-forge-1.4.0_2026-03-31-17-35.json diff --git a/common/changes/@rushstack/debug-certificate-manager/node-forge-1.4.0_2026-03-31-17-35.json b/common/changes/@rushstack/debug-certificate-manager/node-forge-1.4.0_2026-03-31-17-35.json new file mode 100644 index 0000000000..ef79ee671a --- /dev/null +++ b/common/changes/@rushstack/debug-certificate-manager/node-forge-1.4.0_2026-03-31-17-35.json @@ -0,0 +1,10 @@ +{ + "changes": [ + { + "packageName": "@rushstack/debug-certificate-manager", + "comment": "Bump node-forge to 1.4.0 to address CVEs GHSA-2328-f5f3-gj25, GHSA-q67f-28xg-22rw, GHSA-5m6q-g25r-mvwx, GHSA-ppp5-5v6c-4jwp\"", + "type": "patch" + } + ], + "packageName": "@rushstack/debug-certificate-manager" +} \ No newline at end of file diff --git a/common/config/subspaces/build-tests-subspace/pnpm-lock.yaml b/common/config/subspaces/build-tests-subspace/pnpm-lock.yaml index 81bc60134e..c13047a87e 100644 --- a/common/config/subspaces/build-tests-subspace/pnpm-lock.yaml +++ b/common/config/subspaces/build-tests-subspace/pnpm-lock.yaml @@ -837,7 +837,7 @@ packages: '@rushstack/heft-api-extractor-plugin@file:../../../heft-plugins/heft-api-extractor-plugin': resolution: {directory: ../../../heft-plugins/heft-api-extractor-plugin, type: directory} peerDependencies: - '@rushstack/heft': 1.2.7 + '@rushstack/heft': 1.2.8 '@rushstack/heft-config-file@file:../../../libraries/heft-config-file': resolution: {directory: ../../../libraries/heft-config-file, type: directory} @@ -846,7 +846,7 @@ packages: '@rushstack/heft-jest-plugin@file:../../../heft-plugins/heft-jest-plugin': resolution: {directory: ../../../heft-plugins/heft-jest-plugin, type: directory} peerDependencies: - '@rushstack/heft': ^1.2.7 + '@rushstack/heft': ^1.2.8 jest-environment-jsdom: ^29.5.0 jest-environment-node: ^29.5.0 peerDependenciesMeta: @@ -858,17 +858,17 @@ packages: '@rushstack/heft-lint-plugin@file:../../../heft-plugins/heft-lint-plugin': resolution: {directory: ../../../heft-plugins/heft-lint-plugin, type: directory} peerDependencies: - '@rushstack/heft': 1.2.7 + '@rushstack/heft': 1.2.8 '@rushstack/heft-node-rig@file:../../../rigs/heft-node-rig': resolution: {directory: ../../../rigs/heft-node-rig, type: directory} peerDependencies: - '@rushstack/heft': ^1.2.7 + '@rushstack/heft': ^1.2.8 '@rushstack/heft-typescript-plugin@file:../../../heft-plugins/heft-typescript-plugin': resolution: {directory: ../../../heft-plugins/heft-typescript-plugin, type: directory} peerDependencies: - '@rushstack/heft': 1.2.7 + '@rushstack/heft': 1.2.8 '@rushstack/heft@file:../../../apps/heft': resolution: {directory: ../../../apps/heft, type: directory} diff --git a/common/config/subspaces/build-tests-subspace/repo-state.json b/common/config/subspaces/build-tests-subspace/repo-state.json index 6a2e519593..9df0b211bf 100644 --- a/common/config/subspaces/build-tests-subspace/repo-state.json +++ b/common/config/subspaces/build-tests-subspace/repo-state.json @@ -1,6 +1,6 @@ // DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush. { - "pnpmShrinkwrapHash": "306357c78efe97f545fc0681fdb84d17f79bbbb2", + "pnpmShrinkwrapHash": "cd70c9ebb52ab8adb6b1201a34311e706d2dd022", "preferredVersionsHash": "550b4cee0bef4e97db6c6aad726df5149d20e7d9", - "packageJsonInjectedDependenciesHash": "0750dcefdccb64160667c86a2af1ba7854f159e2" + "packageJsonInjectedDependenciesHash": "f68d55b015261ba582766c5abb59428493a2f278" } diff --git a/common/config/subspaces/default/pnpm-lock.yaml b/common/config/subspaces/default/pnpm-lock.yaml index bf9076a2f7..80d706ed57 100644 --- a/common/config/subspaces/default/pnpm-lock.yaml +++ b/common/config/subspaces/default/pnpm-lock.yaml @@ -3728,8 +3728,8 @@ importers: specifier: workspace:* version: link:../terminal node-forge: - specifier: ~1.3.1 - version: 1.3.3 + specifier: 1.4.0 + version: 1.4.0 devDependencies: '@rushstack/heft': specifier: workspace:* @@ -15414,8 +15414,8 @@ packages: encoding: optional: true - node-forge@1.3.3: - resolution: {integrity: sha512-rLvcdSyRCyouf6jcOIPe/BgwG/d7hKjzMKOas33/pHEr6gbq18IK9zV7DiPvzsz0oBJPme6qr6H6kGZuI9/DZg==} + node-forge@1.4.0: + resolution: {integrity: sha512-LarFH0+6VfriEhqMMcLX2F7SwSXeWwnEAJEsYm5QKWchiVYVvJyV9v7UDvUv+w5HO23ZpQTXDv/GxdDdMyOuoQ==} engines: {node: '>= 6.13.0'} node-gyp@8.1.0: @@ -33564,7 +33564,7 @@ snapshots: optionalDependencies: encoding: 0.1.13 - node-forge@1.3.3: {} + node-forge@1.4.0: {} node-gyp@8.1.0: dependencies: @@ -35437,7 +35437,7 @@ snapshots: selfsigned@2.4.1: dependencies: '@types/node-forge': 1.3.14 - node-forge: 1.3.3 + node-forge: 1.4.0 selfsigned@5.5.0: dependencies: diff --git a/common/config/subspaces/default/repo-state.json b/common/config/subspaces/default/repo-state.json index 19ae7edefa..ac4bbcc89a 100644 --- a/common/config/subspaces/default/repo-state.json +++ b/common/config/subspaces/default/repo-state.json @@ -1,5 +1,5 @@ // DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush. { - "pnpmShrinkwrapHash": "958d2b2f4a0d7c66f79432acbee97ea344254ed6", + "pnpmShrinkwrapHash": "97a00700aee0720619cf6b43245a22c1443513c4", "preferredVersionsHash": "029c99bd6e65c5e1f25e2848340509811ff9753c" } diff --git a/libraries/debug-certificate-manager/package.json b/libraries/debug-certificate-manager/package.json index dfbd9f890c..abd6797413 100644 --- a/libraries/debug-certificate-manager/package.json +++ b/libraries/debug-certificate-manager/package.json @@ -40,7 +40,7 @@ "dependencies": { "@rushstack/node-core-library": "workspace:*", "@rushstack/terminal": "workspace:*", - "node-forge": "~1.3.1" + "node-forge": "1.4.0" }, "devDependencies": { "@rushstack/heft": "workspace:*", From 1c760406d1546374775c0a3e882258cdbeb2be31 Mon Sep 17 00:00:00 2001 From: Camille Malonzo Date: Wed, 1 Apr 2026 12:11:28 -0400 Subject: [PATCH 2/2] Fix @types/node-forge 1.3.14 type incompatibility in CertificateManager MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Upgrade @types/node-forge from 1.0.4 to 1.3.14 to match the node-forge 1.4.0 bump. The newer types widen pki.PrivateKey to pki.rsa.PrivateKey | Buffer, so cast to pki.rsa.PrivateKey at the two certificate.sign() call sites — safe since both keys come from forge.pki.rsa.generateKeyPair(). Co-Authored-By: Claude Sonnet 4.6 --- .../subspaces/build-tests-subspace/pnpm-lock.yaml | 10 +++++----- .../subspaces/build-tests-subspace/repo-state.json | 4 ++-- common/config/subspaces/default/pnpm-lock.yaml | 13 +++---------- common/config/subspaces/default/repo-state.json | 2 +- libraries/debug-certificate-manager/package.json | 4 ++-- .../src/CertificateManager.ts | 4 ++-- 6 files changed, 15 insertions(+), 22 deletions(-) diff --git a/common/config/subspaces/build-tests-subspace/pnpm-lock.yaml b/common/config/subspaces/build-tests-subspace/pnpm-lock.yaml index c13047a87e..c50b8b157b 100644 --- a/common/config/subspaces/build-tests-subspace/pnpm-lock.yaml +++ b/common/config/subspaces/build-tests-subspace/pnpm-lock.yaml @@ -837,7 +837,7 @@ packages: '@rushstack/heft-api-extractor-plugin@file:../../../heft-plugins/heft-api-extractor-plugin': resolution: {directory: ../../../heft-plugins/heft-api-extractor-plugin, type: directory} peerDependencies: - '@rushstack/heft': 1.2.8 + '@rushstack/heft': 1.2.9 '@rushstack/heft-config-file@file:../../../libraries/heft-config-file': resolution: {directory: ../../../libraries/heft-config-file, type: directory} @@ -846,7 +846,7 @@ packages: '@rushstack/heft-jest-plugin@file:../../../heft-plugins/heft-jest-plugin': resolution: {directory: ../../../heft-plugins/heft-jest-plugin, type: directory} peerDependencies: - '@rushstack/heft': ^1.2.8 + '@rushstack/heft': ^1.2.9 jest-environment-jsdom: ^29.5.0 jest-environment-node: ^29.5.0 peerDependenciesMeta: @@ -858,17 +858,17 @@ packages: '@rushstack/heft-lint-plugin@file:../../../heft-plugins/heft-lint-plugin': resolution: {directory: ../../../heft-plugins/heft-lint-plugin, type: directory} peerDependencies: - '@rushstack/heft': 1.2.8 + '@rushstack/heft': 1.2.9 '@rushstack/heft-node-rig@file:../../../rigs/heft-node-rig': resolution: {directory: ../../../rigs/heft-node-rig, type: directory} peerDependencies: - '@rushstack/heft': ^1.2.8 + '@rushstack/heft': ^1.2.9 '@rushstack/heft-typescript-plugin@file:../../../heft-plugins/heft-typescript-plugin': resolution: {directory: ../../../heft-plugins/heft-typescript-plugin, type: directory} peerDependencies: - '@rushstack/heft': 1.2.8 + '@rushstack/heft': 1.2.9 '@rushstack/heft@file:../../../apps/heft': resolution: {directory: ../../../apps/heft, type: directory} diff --git a/common/config/subspaces/build-tests-subspace/repo-state.json b/common/config/subspaces/build-tests-subspace/repo-state.json index 9df0b211bf..17c2a9ca64 100644 --- a/common/config/subspaces/build-tests-subspace/repo-state.json +++ b/common/config/subspaces/build-tests-subspace/repo-state.json @@ -1,6 +1,6 @@ // DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush. { - "pnpmShrinkwrapHash": "cd70c9ebb52ab8adb6b1201a34311e706d2dd022", + "pnpmShrinkwrapHash": "b521001fa31a13e992f9979b1292951aa6452daa", "preferredVersionsHash": "550b4cee0bef4e97db6c6aad726df5149d20e7d9", - "packageJsonInjectedDependenciesHash": "f68d55b015261ba582766c5abb59428493a2f278" + "packageJsonInjectedDependenciesHash": "a9488da9faaa4bc0166edfe82f2177d7a68e4cb1" } diff --git a/common/config/subspaces/default/pnpm-lock.yaml b/common/config/subspaces/default/pnpm-lock.yaml index 80d706ed57..400a6d0e76 100644 --- a/common/config/subspaces/default/pnpm-lock.yaml +++ b/common/config/subspaces/default/pnpm-lock.yaml @@ -3728,15 +3728,15 @@ importers: specifier: workspace:* version: link:../terminal node-forge: - specifier: 1.4.0 + specifier: ~1.4.0 version: 1.4.0 devDependencies: '@rushstack/heft': specifier: workspace:* version: link:../../apps/heft '@types/node-forge': - specifier: 1.0.4 - version: 1.0.4 + specifier: 1.3.14 + version: 1.3.14 eslint: specifier: ~9.37.0 version: 9.37.0 @@ -10144,9 +10144,6 @@ packages: '@types/node-fetch@2.6.13': resolution: {integrity: sha512-QGpRVpzSaUs30JBSGPjOg4Uveu384erbHBoT1zeONvyCfwQxIkUshLAOqN/k9EjGviPRmWTTe6aH2qySWKTVSw==} - '@types/node-forge@1.0.4': - resolution: {integrity: sha512-UpX8LTRrarEZPQvQqF5/6KQAqZolOVckH7txWdlsWIJrhBFFtwEUTcqeDouhrJl6t0F7Wg5cyUOAqqF8a6hheg==} - '@types/node-forge@1.3.14': resolution: {integrity: sha512-mhVF2BnD4BO+jtOp7z1CdzaK4mbuK0LLQYAvdOLqHTavxFNq4zA1EmYkpnFjP8HOUzedfQkRnp0E2ulSAYSzAw==} @@ -26267,10 +26264,6 @@ snapshots: '@types/node': 22.9.3 form-data: 4.0.5 - '@types/node-forge@1.0.4': - dependencies: - '@types/node': 22.9.3 - '@types/node-forge@1.3.14': dependencies: '@types/node': 22.9.3 diff --git a/common/config/subspaces/default/repo-state.json b/common/config/subspaces/default/repo-state.json index ac4bbcc89a..62b97c64d3 100644 --- a/common/config/subspaces/default/repo-state.json +++ b/common/config/subspaces/default/repo-state.json @@ -1,5 +1,5 @@ // DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush. { - "pnpmShrinkwrapHash": "97a00700aee0720619cf6b43245a22c1443513c4", + "pnpmShrinkwrapHash": "e23050723096714a6ca776a9d1b1f3d558cdb2fd", "preferredVersionsHash": "029c99bd6e65c5e1f25e2848340509811ff9753c" } diff --git a/libraries/debug-certificate-manager/package.json b/libraries/debug-certificate-manager/package.json index abd6797413..2d33b4c023 100644 --- a/libraries/debug-certificate-manager/package.json +++ b/libraries/debug-certificate-manager/package.json @@ -40,11 +40,11 @@ "dependencies": { "@rushstack/node-core-library": "workspace:*", "@rushstack/terminal": "workspace:*", - "node-forge": "1.4.0" + "node-forge": "~1.4.0" }, "devDependencies": { "@rushstack/heft": "workspace:*", - "@types/node-forge": "1.0.4", + "@types/node-forge": "1.3.14", "eslint": "~9.37.0", "local-node-rig": "workspace:*" }, diff --git a/libraries/debug-certificate-manager/src/CertificateManager.ts b/libraries/debug-certificate-manager/src/CertificateManager.ts index f36143fd05..98456579fb 100644 --- a/libraries/debug-certificate-manager/src/CertificateManager.ts +++ b/libraries/debug-certificate-manager/src/CertificateManager.ts @@ -380,7 +380,7 @@ export class CertificateManager { ]); // self-sign certificate - certificate.sign(keys.privateKey, forge.md.sha256.create()); + certificate.sign(keys.privateKey as pki.rsa.PrivateKey, forge.md.sha256.create()); return { certificate, @@ -475,7 +475,7 @@ export class CertificateManager { ]); // Sign certificate with CA - certificate.sign(caPrivateKey, forge.md.sha256.create()); + certificate.sign(caPrivateKey as pki.rsa.PrivateKey, forge.md.sha256.create()); // convert a Forge certificate to PEM const caPem: string = forge.pki.certificateToPem(caCertificate);