update node-forge to latest version

[acosferreira]

Jira Issue: https://issues.redhat.com/browse/AAP-61274

Assisted-by: @omaciel

Description

update package-lock to use latest version of node-forge (1.3.1 -> 1.3.4)

Testing

Steps to test

1. Pull down the PR
2. ...
3. ...

Type of Change

• Bug fix (non-breaking change fixing an issue)
• New feature (non-breaking change adding functionality)
• Breaking change (fix or feature causing existing functionality to break)
• Security fix
• Performance improvement
• Code refactoring
• Documentation update
• CI/CD update

Backport Policy

This change should be:

• Not backported - main/master only
• Backported to specific releases (add labels after merge)

Automated Backport Instructions

After this PR is merged, add one or more labels to automatically create backport PRs:

• backport/stable-2.4 - Backport to stable-2.4 branch
• backport/stable-2.5 - Backport to stable-2.5 branch
• backport/stable-2.6 - Backport to stable-2.6 branch
• backport/all - Backport to all active stable branches
• no-backport - Explicitly mark as not needing backport

Backport Justification

Special backport considerations:

Scenarios tested

Production deployment

• This code change is ready for production on its own
• This code change requires the following considerations before going to production:

---

Note

Updates dependency resolutions in package-lock.json for the Express stack.

• Bumps express to 4.22.1, body-parser to 1.20.4, qs to 6.14.1, raw-body to 2.5.3, and @types/node-forge to 1.3.14
• Loosens several sub-dependency ranges and updates transitive deps (e.g., http-errors@2.0.1, statuses@2.0.2), introducing side-channel-* and call-bound packages
• Toggles some deps between devOptional and dev; no application code changes

^{Written by Cursor Bugbot for commit 447cd8d. This will update automatically on new commits. Configure here.}

[github-actions]

# npm audit report

qs  <6.14.1
Severity: high
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - https://github.com/advisories/GHSA-6rw7-vpxm-498p
fix available via `npm audit fix`
node_modules/qs
  body-parser  <=1.20.3 || 2.0.0-beta.1 - 2.0.2
  Depends on vulnerable versions of qs
  node_modules/body-parser
    express  2.5.8 - 2.5.11 || 3.2.1 - 3.2.3 || 4.0.0-rc1 - 4.21.2 || 5.0.0-alpha.1 - 5.0.1
    Depends on vulnerable versions of body-parser
    Depends on vulnerable versions of qs
    node_modules/express

3 high severity vulnerabilities

To address all issues, run:
  npm audit fix

[cursor]

Security update not applied - version remains unchanged

The PR claims to be a security fix updating node-forge from version 1.3.1 to 1.3.4, but the actual node-forge package version remains at 1.3.3. The only changes are updating @types/node-forge (the TypeScript type definitions, not the actual library) and removing the devOptional flag. If a security vulnerability exists that requires version 1.3.4 or later, this PR does not actually address it. The security fix referenced in the PR description may not have been properly applied.

 

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud