Update node-forge library for CVE-2025-66031

[TamiTakamiya]

Jira Issue: https://issues.redhat.com/browse/AAP-59983

Assisted-by: n/a
Generated by: n/a

Description

Update node-forge library, which is used in the admin console Node app, for CVE-2025-66031

Testing

Steps to test

1. Pull down the PR
2. cd ansible_ai_connect_admin_console
3. npm install
4. npm run test:all

Type of Change

• Bug fix (non-breaking change fixing an issue)
• New feature (non-breaking change adding functionality)
• Breaking change (fix or feature causing existing functionality to break)
• Security fix
• Performance improvement
• Code refactoring
• Documentation update
• CI/CD update

Backport Policy

This change should be:

• Not backported - main/master only
• Backported to specific releases (add labels after merge)

Automated Backport Instructions

After this PR is merged, add one or more labels to automatically create backport PRs:

• backport/all - Backport to all active stable branches

Backport Justification

Security vulnerability fix (CVE-2025-66031)

Special backport considerations:

Scenarios tested

Production deployment

• This code change is ready for production on its own
• This code change requires the following considerations before going to production:

---

Note

Adds node-forge@^1.3.3 and raises the Node engine requirement to >=20.

• Dependencies:
  • Add node-forge@^1.3.3 to ansible_ai_connect_admin_portal/package.json and lockfile.
• Engines/Build:
  • Bump Node engine requirement from >=18 to >=20 in package.json and package-lock.json.

^{Written by Cursor Bugbot for commit c448deb. This will update automatically on new commits. Configure here.}

[github-actions]

# npm audit report

happy-dom  <20.0.0
Severity: critical
Happy DOM: VM Context Escape can lead to Remote Code Execution - https://github.com/advisories/GHSA-37j7-fg3j-429f
fix available via `npm audit fix --force`
Will install happy-dom@20.0.11, which is a breaking change
node_modules/happy-dom

js-yaml  <3.14.2 || >=4.0.0 <4.1.1
Severity: moderate
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
fix available via `npm audit fix`
node_modules/@eslint/eslintrc/node_modules/js-yaml
node_modules/cosmiconfig/node_modules/js-yaml
node_modules/eslint/node_modules/js-yaml
node_modules/js-yaml

2 vulnerabilities (1 moderate, 1 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

[github-actions]

# npm audit report

happy-dom  <20.0.0
Severity: critical
Happy DOM: VM Context Escape can lead to Remote Code Execution - https://github.com/advisories/GHSA-37j7-fg3j-429f
fix available via `npm audit fix --force`
Will install happy-dom@20.0.11, which is a breaking change
node_modules/happy-dom

1 critical severity vulnerability

To address all issues (including breaking changes), run:
  npm audit fix --force

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud