Update platform security modules (main)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@types/node-forge	^0.10.10 -> ^1.0.0
node-forge	^0.10.0 -> ^1.1.0

---

Release Notes

digitalbazaar/forge

v1.1.0

Compare Source

Fixed

• [x509]: Correctly compute certificate issuer and subject hashes to match
  behavior of openssl.
• [pem]: Accept certificate requests with "NEW" in the label. "BEGIN NEW
  CERTIFICATE REQUEST" handled as "BEGIN CERTIFICATE REQUEST".

v1.0.0

Compare Source

Notes

• 1.0.0!
• This project is over a decade old! Time for a 1.0.0 release.
• The URL related changes may expose bugs in some of the networking related
  code (unrelated to the much wider used cryptography code). The automated and
  manual test coverage for this code is weak at best. Issues or patches to
  update the code or tests would be appreciated.

Removed

• SECURITY, BREAKING: Remove forge.debug API. The API has the
  potential for prototype pollution. This API was only briefly used by the
  maintainers for internal project debug purposes and was never intended to be
  used with untrusted user inputs. This API was not documented or advertised
  and is being removed rather than fixed.
• SECURITY, BREAKING: Remove forge.util.parseUrl() (and
  forge.http.parseUrl alias) and use the WHATWG URL
  Standard. URL is supported by modern browers
  and modern Node.js. This change is needed to address URL parsing security
  issues. If forge.util.parseUrl() is used directly or through forge.xhr or
  forge.http APIs, and support is needed for environments without URL
  support, then a polyfill must be used.
• BREAKING: Remove forge.task API. This API was never used, documented,
  or advertised by the maintainers. If anyone was using this API and wishes to
  continue development it in other project, please let the maintainers know.
  Due to use in the test suite, a modified version is located in
  tests/support/.
• BREAKING: Remove forge.util.makeLink, forge.util.makeRequest,
  forge.util.parseFragment, forge.util.getQueryVariables. Replace with
  URL, URLSearchParams, and custom code as needed.

Changed

• BREAKING: Increase supported Node.js version to 6.13.0 for URL support.
• BREAKING: Renamed master branch to main.
• BREAKING: Release process updated to use tooling that prefixes versions
  with v. Other tools, scripts, or scanners may need to adapt.
• BREAKING: Remove docs related to Bower and
  forge-dist. Install using
  another method.

Added

• OIDs for surname, title, and givenName.

Fixed

• BREAKING: OID 2.5.4.5 name fixed from serialName to serialNumber.
  Depending on how applications used this id to name association it could cause
  compatibility issues.

---

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Renovate will not automatically rebase this PR, because other commits have been found.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[jportner]

@elasticmachine run elasticsearch-ci/docs

[jportner]

Unfortunately we have two transitive dependencies of node-forge that will be stuck on v0.10.0:

yarn why node-forge
yarn why v1.22.10
[1/4] 🤔  Why do we have the module "node-forge"...?
[2/4] 🚚  Initialising dependency graph...
...
[3/4] 🔍  Finding dependency...
[4/4] 🚡  Calculating file sizes...
=> Found "[email protected]"
info Has been hoisted to "node-forge"
info Reasons this module exists
   - Specified in "dependencies"
   - Hoisted from "@elastic#request-crypto#node-jose#node-forge"
   - Hoisted from "webpack-dev-server#selfsigned#node-forge"
info Disk size without dependencies: "1.77MB"

However, we only use these on the server side so we won't increase bundle sizes by changing our direct dependency to a different version.

The changes mostly revolve around removing unused APIs and changing URL parsing (which affects networking-related code). We don't use node-forge for that, we rely on it for parsing certificates and for cryptography, so I think our existing test coverage is sufficient for this upgrade.

EDIT: I checked both https://github.com/cisco/node-jose and https://github.com/jfromaniello/selfsigned, neither of them use any of the node-forge methods that have been changed/removed in this release. I'm confident it is safe to use a yarn dependency resolution to upgrade those as well.

[kibana-ci]

💚 Build Succeeded

• Buildkite Build
• Commit: 235c3ff
• Storybooks Preview

Metrics [docs]

✅ unchanged

History

• 💚 Build #16258 succeeded d3dba45
• 💚 Build #16237 succeeded 32bd75d

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[jportner]

@elasticmachine run elasticsearch-ci/docs

[kibanamachine]

💔 Some backports could not be created

Status	Branch	Result
❌	8.0	Backport failed because of merge conflicts You might need to backport the following PRs to 8.0: - Update Github Action for backport (#122479)
❌	7.17	Backport failed because of merge conflicts

How to fix

Re-run the backport manually:

node scripts/backport --pr 122475

Questions ?

Please refer to the Backport tool documentation

[jportner]

💚 All backports created successfully

Status	Branch	Result
✅	8.0
✅	7.17

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation