Update package-lock.json file to automatically remove the high severity vulnerability introduced by package node-forge #41
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Hi, @dmfrancisco, I have reported a vulnerability issue in package google-p12-pem.
As far as I am aware, vulnerability(high severity) CVE-2020-7720 detected in package node-forge(<0.10.0) is directly referenced by google-p12-pem@1.0.4, on which your package browserslist-ga@0.0.13 transitively depends. As such, this vulnerability can also affect browserslist-ga@0.0.13 via the following path:
browserslist-ga@0.0.13 ➔ googleapis@39.2.0 ➔ google-auth-library@3.1.2 ➔ gtoken@2.3.3 ➔ google-p12-pem@1.0.4 ➔ node-forge@0.8.5(vulnerable version)Since google-p12-pem has released a new patched version google-p12-pem@1.0.5 to resolve this issue (google-p12-pem@1.0.5 ➔ node-forge@0.10.0(fix version)), then this vulnerability patch can be automatically propagated into your project only if you update your package-lock.json file (delete package-lock.json and re-execute npm install command):
browserslist-ga@0.0.13 ➔ googleapis@39.2.0 ➔ google-auth-library@3.1.2 ➔ gtoken@2.3.3 ➔ google-p12-pem@1.0.5 ➔ node-forge@0.10.0(vulnerability fix version).A warm tip.^_^
Best regards,
Paimon
The text was updated successfully, but these errors were encountered: