Skip to content

fix: bump transient dependency node-forge for cve vulnerabilities#726

Merged
Will-ShaoHua merged 1 commit intoaws:mainfrom
Will-ShaoHua:cve
Dec 11, 2025
Merged

fix: bump transient dependency node-forge for cve vulnerabilities#726
Will-ShaoHua merged 1 commit intoaws:mainfrom
Will-ShaoHua:cve

Conversation

@Will-ShaoHua
Copy link
Contributor

@Will-ShaoHua Will-ShaoHua commented Dec 11, 2025
edited
Loading

Problem

node-forge (affected version 1.3.1) found in package-lock.json:

CVE-2025-12816 → Fixed in dependency version: v1.3.2
CVE-2025-66031 → Fixed in dependency version: v1.3.2

(base) ➜  language-server-runtimes git:(cve) npm i
npm warn ERESOLVE overriding peer dependency
npm warn While resolving: cosmiconfig-typescript-loader@6.1.0
npm warn Found: @types/node@22.15.17
npm warn node_modules/@types/node
npm warn   dev @types/node@"^22.15.17" from the root project
npm warn   4 more (@types/mock-fs, @types/node-forge, protobufjs, @aws/language-server-runtimes)
npm warn
npm warn Could not resolve dependency:
npm warn peer @types/node@"*" from cosmiconfig-typescript-loader@6.1.0
npm warn node_modules/cosmiconfig-typescript-loader
npm warn   cosmiconfig-typescript-loader@"^6.1.0" from @commitlint/load@19.8.1
npm warn   node_modules/@commitlint/load
> @amzn/monorepo-language-server-runtimes@1.0.0 prepare
> husky .husky
added 1 package, removed 53 packages, and audited 366 packages in 2s
70 packages are looking for funding
  run `npm fund` for details

2 vulnerabilities (1 moderate, 1 high)
To address all issues, run:
  npm audit fix
Run `npm audit` for details.

(base) ➜  language-server-runtimes git:(cve) npm list node-forge --all
@amzn/monorepo-language-server-runtimes@1.0.0 /Volumes/workplace/ide/language-server-runtimes
└─┬ @aws/language-server-runtimes@0.3.10 -> ./runtimes
  ├─┬ mac-ca@3.1.1
  │ └── node-forge@1.3.1 deduped
  ├── node-forge@1.3.1
  └─┬ win-ca@3.5.1
    └── node-forge@1.3.1 deduped

Solution

(base) ➜  language-server-runtimes git:(cve) npm audit fix
npm warn ERESOLVE overriding peer dependency
npm warn While resolving: cosmiconfig-typescript-loader@6.1.0
npm warn Found: @types/node@22.15.17
npm warn node_modules/@types/node
npm warn   dev @types/node@"^22.15.17" from the root project
npm warn   4 more (@types/mock-fs, @types/node-forge, protobufjs, @aws/language-server-runtimes)
npm warn
npm warn Could not resolve dependency:
npm warn peer @types/node@"*" from cosmiconfig-typescript-loader@6.1.0
npm warn node_modules/cosmiconfig-typescript-loader
npm warn   cosmiconfig-typescript-loader@"^6.1.0" from @commitlint/load@19.8.1
npm warn   node_modules/@commitlint/load

changed 2 packages, and audited 366 packages in 2s

70 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

(base) ➜  language-server-runtimes git:(cve) ✗ npm list node-forge
@amzn/monorepo-language-server-runtimes@1.0.0 /Volumes/workplace/ide/language-server-runtimes
└─┬ @aws/language-server-runtimes@0.3.10 -> ./runtimes
  ├─┬ mac-ca@3.1.1
  │ └── node-forge@1.3.3 deduped
  ├── node-forge@1.3.3
  └─┬ win-ca@3.5.1
    └── node-forge@1.3.3 deduped

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@Will-ShaoHua Will-ShaoHua requested a review from a team as a code owner December 11, 2025 06:00
@Will-ShaoHua Will-ShaoHua merged commit e467373 into aws:main Dec 11, 2025
4 checks passed
@Will-ShaoHua Will-ShaoHua deleted the cve branch December 11, 2025 19:42
@Will-ShaoHua Will-ShaoHua mentioned this pull request Dec 12, 2025
Merged
ashishrp-aws pushed a commit that referenced this pull request Dec 12, 2025
@Will-ShaoHua
fix: more logging for SSL certificates (#727)
98aaaa3 
## Problem
Previous PR #726 didn't kick off release-please workflow due to `No user
facing commits found since 36d17dc -
skipping`

```
Fetching merge commits on branch main with cursor: undefined
✔ Splitting 4 commits by path
✔ Building candidate release pull request for path: chat-client-ui-types
❯ type: node
❯ targetBranch: main
❯ commits: 0
✔ Considering: 0 commits
✔ No commits for path: chat-client-ui-types, skipping
✔ Building candidate release pull request for path: runtimes
❯ type: node
❯ targetBranch: main
❯ commits: 1
✔ Considering: 1 commits
❯ component: language-server-runtimes
❯ pull request title pattern: undefined
❯ componentNoSpace: undefined
✔ No user facing commits found since 36d17dc - skipping
```

## Solution

- not sure why "chore: xxx" failed to work
- use `fix` instead

<!---
    REMINDER:
    - Read CONTRIBUTING.md first.
    - Add test coverage for your changes.
    - Link to related issues/commits.
    - Testing: how did you test your changes?
    - Screenshots if applicable
-->

## License

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@laileni-aws laileni-aws laileni-aws approved these changes

@ashishrp-aws ashishrp-aws ashishrp-aws approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Will-ShaoHua @laileni-aws @ashishrp-aws