chore: upgrade selfsigned to v5 and remove node-forge dependency #5618
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
|
|
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
webpack-dev-server currently relies on selfsigned@2.x, which pulls in node-forge@^1 transitively. This results in node-forge@1.3.3 being installed, which is flagged by security scanners as vulnerable, forcing downstream users to apply manual overrides.
While upgrading selfsigned within the 4.x range does not resolve this (it still depends on node-forge), selfsigned@5.x removes the node-forge dependency entirely and instead uses @peculiar/x509 / pkijs.
What this PR does
Upgrades selfsigned to v5.x
Migrates the HTTPS certificate generation logic to the new async generate() API
Updates options to match the new SelfsignedOptions type
Adjusts handling of returned PEM values (private / cert)
Removes the transitive dependency on node-forge
This fully eliminates the vulnerable dependency without requiring downstream overrides.
Why this change is safe
The generated certificate is still:
SHA-256
2048-bit key
Valid for 30 days
Scoped to local development (localhost, loopback IPs, etc.)
Existing behavior (auto-generation, caching, expiration cleanup) is preserved
All tests pass locally (npm test)
Notes on compatibility
selfsigned@5 introduces a breaking API change:
generate() is async
Some option names differ from previous versions
This PR adapts webpack-dev-server’s internal usage accordingly
No public API surface of webpack-dev-server is affected
Related
Fixes / addresses: Dependency selfsigned old, creates transitive dependency on vulnerable node-forge #5617
selfsigned@5 release notes: https://www.npmjs.com/package/selfsigned