Bump node-forge from 1.3.3 to 1.4.0 by dependabot[bot] · Pull Request #3775 · github/codeql-action (original) (raw)
Pull request overview
Updates the CodeQL Action’s JavaScript crypto dependency node-forge to incorporate upstream security fixes (DoS and signature verification/cert chain validation issues) and keeps the repository’s lockfile/build artifacts in sync.
Changes:
- Bump
node-forgefrom^1.3.3to^1.4.0inpackage.json. - Update
package-lock.jsonto locknode-forge@1.4.0(resolved URL + integrity). - Refresh generated
lib/start-proxy-action.jsoutput to reflect the updated dependency bundle.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| package.json | Updates the declared dependency range for node-forge to ^1.4.0. |
| package-lock.json | Locks node-forge to 1.4.0 with updated resolved/integrity metadata. |
| lib/start-proxy-action.js | Generated bundle output updated to include the new node-forge version. |