npm - node-forge - Versions diffs - 0.9.2 → 0.10.0 - Mend

node-forge 0.9.2 → 0.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,6 +1,24 @@
 Forge ChangeLog
 ===============
+## 0.10.0 - 2019-09-01
+### Changed
+- **BREAKING**: Node.js 4 no longer supported. The code *may* still work, and
+  non-invasive patches to keep it working will be considered. However, more
+  modern tools no longer support old Node.js versions making testing difficult.
+### Removed
+- **BREAKING**: Remove `util.getPath`, `util.setPath`, and `util.deletePath`.
+  `util.setPath` had a potential prototype pollution security issue when used
+  with unsafe inputs. These functions are not used by `forge` itself. They date
+  from an early time when `forge` was targeted at providing general helper
+  functions. The library direction changed to be more focused on cryptography.
+  Many other excellent libraries are more suitable for general utilities. If
+  you need a replacement for these functions, consier `get`, `set`, and `unset`
+  from [lodash](https://lodash.com/). But also consider the potential similar
+  security issues with those APIs.
 ## 0.9.2 - 2019-09-01
 ### Changed

package/README.md CHANGED Viewed

@@ -2035,8 +2035,6 @@ When using this code please keep the following in mind:
 - Certain features in this library are less susceptible to attacks depending on
   usage. This primarily includes features that deal with data format
   manipulation or those that are not involved in communication.
-- Do not pass unsafe inputs to `util.setPath`. Doing so could expose a
-  prototype pollution security issue.
 Library Background
 ------------------