npm - node-forge - Versions diffs - 0.8.5 → 0.10.0 - Mend

node-forge 0.8.5 → 0.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,6 +1,60 @@
 Forge ChangeLog
 ===============
+## 0.10.0 - 2019-09-01
+### Changed
+- **BREAKING**: Node.js 4 no longer supported. The code *may* still work, and
+  non-invasive patches to keep it working will be considered. However, more
+  modern tools no longer support old Node.js versions making testing difficult.
+### Removed
+- **BREAKING**: Remove `util.getPath`, `util.setPath`, and `util.deletePath`.
+  `util.setPath` had a potential prototype pollution security issue when used
+  with unsafe inputs. These functions are not used by `forge` itself. They date
+  from an early time when `forge` was targeted at providing general helper
+  functions. The library direction changed to be more focused on cryptography.
+  Many other excellent libraries are more suitable for general utilities. If
+  you need a replacement for these functions, consier `get`, `set`, and `unset`
+  from [lodash](https://lodash.com/). But also consider the potential similar
+  security issues with those APIs.
+## 0.9.2 - 2019-09-01
+### Changed
+- Added `util.setPath` security note to function docs and to README.
+### Notes
+- **SECURITY**: The `util.setPath` function has the potential to cause
+  prototype pollution if used with unsafe input.
+  - This function is **not** used internally by `forge`.
+  - The rest of the library is unaffected by this issue.
+  - **Do not** use unsafe input with this function.
+  - Usage with known input should function as expected. (Including input
+    intentionally using potentially problematic keys.)
+  - No code changes will be made to address this issue in 0.9.x. The current
+    behavior *could* be considered a feature rather than a security issue.
+    0.10.0 will be released that removes `util.getPath` and `util.setPath`.
+    Consider `get` and `set` from [lodash](https://lodash.com/) if you need
+    replacements. But also consider the potential similar security issues with
+    those APIs.
+  - https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677
+  - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7720
+## 0.9.1 - 2019-09-26
+### Fixed
+- Ensure DES-CBC given IV is long enough for block size.
+## 0.9.0 - 2019-09-04
+### Added
+- Add ed25519.publicKeyFromAsn1 and ed25519.privateKeyFromAsn1 APIs.
+- A few OIDs used in EV certs.
+### Fixed
+- Improve ed25519 NativeBuffer check.
 ## 0.8.5 - 2019-06-18
 ### Fixed

package/README.md CHANGED Viewed

@@ -1409,15 +1409,17 @@ var privateKeyInfo = pki.wrapRsaPrivateKey(rsaPrivateKey);
 // convert a PKCS#8 ASN.1 PrivateKeyInfo to PEM
 var pem = pki.privateKeyInfoToPem(privateKeyInfo);
-// encrypts a PrivateKeyInfo and outputs an EncryptedPrivateKeyInfo
+// encrypts a PrivateKeyInfo using a custom password and
+// outputs an EncryptedPrivateKeyInfo
 var encryptedPrivateKeyInfo = pki.encryptPrivateKeyInfo(
-  privateKeyInfo, 'password', {
+  privateKeyInfo, 'myCustomPasswordHere', {
     algorithm: 'aes256', // 'aes128', 'aes192', 'aes256', '3des'
   });
-// decrypts an ASN.1 EncryptedPrivateKeyInfo
+// decrypts an ASN.1 EncryptedPrivateKeyInfo that was encrypted
+// with a custom password
 var privateKeyInfo = pki.decryptPrivateKeyInfo(
-  encryptedPrivateKeyInfo, 'password');
+  encryptedPrivateKeyInfo, 'myCustomPasswordHere');
 // converts an EncryptedPrivateKeyInfo to PEM
 var pem = pki.encryptedPrivateKeyToPem(encryptedPrivateKeyInfo);