Update dependency node-forge to v1.4.0#31
Conversation
|
Warning Review limit reached
More reviews will be available in 49 minutes and 47 seconds. Learn how PR review limits work. To continue reviewing without waiting, enable usage-based billing in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThe pull request updates the ChangesDependency Version Update
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
f11cfe5 to
bf90e13
Compare
a793a30 to
2927962
Compare
2927962 to
283f257
Compare

This PR contains the following updates:
1.3.2→1.4.0Release Notes
digitalbazaar/forge (node-forge)
v1.4.0Compare Source
Security
BigInteger.modInverse()the
BigInteger.modInverse()function (inherited from the bundled jsbnlibrary). When
modInverse()is called with a zero value as input, theinternal Extended Euclidean Algorithm enters an unreachable exit condition,
causing the process to hang indefinitely and consume 100% CPU.
public exponent keys (e=3). Attackers can forge signatures by stuffing
"garbage" bytes within the ASN.1 structure in order to construct a
signature that passes verification, enabling Bleichenbacher style forgery.
This issue is similar to CVE-2022-24771, but adds bytes in an addition
field within the ASN.1 structure, rather than outside of it.
8 bytes of padding as defined by the specification, providing attackers
additional space to construct Bleichenbacher forgeries.
Ed25519due to missing S < L check.Ed25519signature verification accepts forged non-canonical signatureswhere the scalar S is not reduced modulo the group order (S >= L). A valid
signature and its S + L variant both verify in forge, while Node.js
crypto.verify (OpenSSL-backed) rejects the S + L variant, as defined by the
specification. This class of signature malleability has been exploited in
practice to bypass authentication and authorization logic (see
CVE-2026-25793, CVE-2022-35961). Applications relying on signature
uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object
canonicalization checks) may be bypassed.
basicConstraintsbypass in certificate chain verification.pki.verifyCertificateChain()does not enforce RFC 5280basicConstraintsrequirements when an intermediate certificate lacks both the
basicConstraintsandkeyUsageextensions. This allows any leafcertificate (without these extensions) to act as a CA and sign other
certificates, which node-forge will accept as valid.
Added
2.5.4.65/pseudonymChanged
jsbn1.4. Sync partly back to original style for easierupdates every decade or so.
Fixed
BigInteger.modInverseto avoid an infinite loop and exit earlywith zero when the target object value is <= 0. Zero may not be strictly
mathematically correct but aligns with current
jsbnbehavior returning zeroin other situations. The alternate of a
RangeErrorwould diverge from therest of the API.
required to be eight octets for block types 1 and 2.
ed25519] Add canonical signature scaler check for S < L.basicConstraintson non-leafcertificates.
v1.3.3Compare Source
Fixed
introduced in 1.3.2.
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.