webpack-dev-server: Security problem with `node-forge`

an alternative to manually editing yarn.lock file was,

1. add below to package.json

"resolutions": {
    "webpack-dev-server/**/selfsigned": "^1.10.8"
  }	  

1. yarn install . This modifies yarn.lock
2. git restore package.json
3. yarn install . This again modifies yarn.lock
4. commit yarn.lock change

@khhhum webpack-dev-server already allows the updated selfsigned and node-forge, a webpack-dev-server release isn’t required to use those updated dependencies.

But it can be confusing to figure out how to update ‘indirect’ dependencies like this, and the tooling can be surprisingly unhelpful.

If you are using yarn, the best way i have found is to open up the yarn.lock manually, and delete the lines for selfsigned and node-forge, and then run yarn install. It will insert the (new) latest allowable releases of selfsigned and node-forge into your yarn.lock, and you have updated your dependencies, no need for a webpack-dev-server release. See this blog post and this yarn issue. I remain surprised yarn doesn’t support a way of upgrading indirect dependencies less manually.

If you are using npm straight without yarn or other alternatives, I’m not certain the approach, but there should be one that does not require a webpack-dev-server release. If dependencies had to be re-released every time there was a new release of any of their own dependencies, that would be messy!

Thanks! Not difficult if you are authorized to do a release of the dependency, or can get the attention of those who are! Others of us tried by filing an issue on the selfsigned project and failed, but perhaps being a maintainer of webpack-dev-server got their attention, or using a method of communication other than github issues? Anyway, thanks!

Fixed https://github.com/jfromaniello/selfsigned/releases/tag/v1.10.8, As you can see, this is usually not difficult. Just update lock files

@jrochkind I suggest to wait a little longer, I tried to contact the developers