Changes in the next major release of Forge CLI

amathur · June 19, 2025, 5:03am

We are planning the next major release of Forge CLI on June 24, 2025. This release will come with following breaking changes:

Discontinue support for deprecated node version: Node 18.x

We are discontinuing support for Node 18, as it has reached end of life and will no longer be receiving security updates. To use the new versions of the CLI, upgrade your local Node version to 20 or higher.

To upgrade your node version:

Run the following command to install the latest node with nvm:

nvm install --lts
nvm use --lts

Then run node --version to verify that the latest node version is installed.

Standardize CLI flags: remove v1 and v2 flags from the version compare command

We are working on standardising the flags for Forge CLI commands where short flags will be a single alphanumeric character. Therefore, we are removing the -v1 and -v2 flags from the version compare command.

To use the new CLI, change the version compare command from:

forge version compare -v1 3 -v2 5

to

forge version compare --version1=3 --version2=5

These changes will be added to the Forge changelog after the new version of CLI is released. Feel free to respond to the post if you have any questions related to this release.

marc · June 19, 2025, 7:23am

Will the new version of the Forge cli address the security issues in the dependencies? The current cli has many dependencies with known vulnerabilities.

ChrisWilliams · June 19, 2025, 7:42am

Hi @marc ! Just to confirm, which vulnerabilities are you referring to here?

We do have a fix to ensure punycode is out of the dependency tree coming in this release, and we have scheduled work (likely for the release after) to address a larger list of deprecated packages, which may become vulnerable in the future.

marc · June 19, 2025, 7:48am

An install of Forge cli gives the following vulnerabilities:

31 vulnerabilities (4 low, 5 moderate, 20 high, 2 critical)

# npm audit report

@babel/helpers  <7.26.10
Severity: moderate
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups - https://github.com/advisories/GHSA-968p-4wvh-cqc8
fix available via `npm audit fix`
node_modules/@forge/cli/node_modules/@babel/helpers

body-parser  <1.20.3
Severity: high
body-parser vulnerable to denial of service when url encoding is enabled - https://github.com/advisories/GHSA-qwcr-r2fm-qrc7
fix available via `npm audit fix`
node_modules/@forge/cli/node_modules/body-parser
  express  <=4.21.0 || 5.0.0-alpha.1 - 5.0.0
  Depends on vulnerable versions of body-parser
  Depends on vulnerable versions of cookie
  Depends on vulnerable versions of path-to-regexp
  Depends on vulnerable versions of send
  Depends on vulnerable versions of serve-static
  node_modules/@forge/cli/node_modules/express

brace-expansion  1.0.0 - 1.1.11 || 2.0.0 - 2.0.1
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
fix available via `npm audit fix`
node_modules/@forge/cli/node_modules/brace-expansion
node_modules/@forge/cli/node_modules/recursive-readdir/node_modules/brace-expansion
node_modules/@forge/cli/node_modules/webpack-dev-server/node_modules/brace-expansion

braces  <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix`
node_modules/@forge/cli/node_modules/braces

browserify-sign  2.6.0 - 4.2.1
Severity: high
browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack - https://github.com/advisories/GHSA-x9w5-v3q2-3rhw
fix available via `npm audit fix`
node_modules/@forge/cli/node_modules/browserify-sign

cookie  <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix`
node_modules/@forge/cli/node_modules/cookie

elliptic  <=6.6.0
Severity: critical
Elliptic's EDDSA missing signature length check - https://github.com/advisories/GHSA-f7q4-pwc6-w24p
Elliptic's ECDSA missing check for whether leading bit of r and s is zero - https://github.com/advisories/GHSA-977x-g7h5-7qgw
Elliptic allows BER-encoded signatures - https://github.com/advisories/GHSA-49q7-c7j4-3p7m
Valid ECDSA signatures erroneously rejected in Elliptic - https://github.com/advisories/GHSA-fc9h-whq2-v747
Elliptic's verify function omits uniqueness validation - https://github.com/advisories/GHSA-434g-2637-qmqr
Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string) - https://github.com/advisories/GHSA-vjh7-7g9h-fjfh
fix available via `npm audit fix`
node_modules/@forge/cli/node_modules/elliptic


follow-redirects  <=1.15.5
Severity: moderate
follow-redirects' Proxy-Authorization header kept across hosts - https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
fix available via `npm audit fix`
node_modules/@forge/cli/node_modules/follow-redirects

http-proxy-middleware  <=2.0.8
Severity: high
Denial of service in http-proxy-middleware - https://github.com/advisories/GHSA-c7qv-q95q-8v27
http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed - https://github.com/advisories/GHSA-9gqv-wp59-fq42
http-proxy-middleware can call writeBody twice because "else if" is not used - https://github.com/advisories/GHSA-4www-5p9h-95mh
fix available via `npm audit fix`
node_modules/@forge/cli/node_modules/http-proxy-middleware

loader-utils  2.0.0 - 2.0.3
Severity: critical
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-hhq3-ff78-jv3g
fix available via `npm audit fix`
node_modules/@forge/cli/node_modules/loader-utils

lodash.pick  >=4.0.0
Severity: high
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
fix available via `npm audit fix --force`
Will install @forge/cli@1.5.0, which is a breaking change
node_modules/@forge/cli/node_modules/lodash.pick
  cheerio  0.19.0 - 1.0.0-rc.12
  Depends on vulnerable versions of css-select
  Depends on vulnerable versions of lodash.pick
  node_modules/@forge/cli/node_modules/cheerio
    @forge/bundler  >=1.0.12-next.0
    Depends on vulnerable versions of @forge/cli-shared
    Depends on vulnerable versions of @forge/lint
    Depends on vulnerable versions of @forge/manifest
    Depends on vulnerable versions of cheerio
    node_modules/@forge/cli/node_modules/@forge/bundler
      @forge/cli  <=0.0.0-experimental-a9f00a0 || >=1.5.1-next.0
      Depends on vulnerable versions of @forge/bundler
      Depends on vulnerable versions of @forge/cli-shared
      Depends on vulnerable versions of @forge/lint
      Depends on vulnerable versions of @forge/manifest
      Depends on vulnerable versions of @forge/tunnel
      Depends on vulnerable versions of cheerio
      node_modules/@forge/cli
      @forge/tunnel  <=0.0.1-next.15 || >=1.3.1-next.0
      Depends on vulnerable versions of @forge/bundler
      Depends on vulnerable versions of @forge/cli-shared
      Depends on vulnerable versions of @forge/csp
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@forge/cli/node_modules/@forge/tunnel
    @forge/cli-shared  >=1.3.1-next.0
    Depends on vulnerable versions of @forge/manifest
    Depends on vulnerable versions of cheerio
    node_modules/@forge/cli/node_modules/@forge/cli-shared
      @forge/lint  <=0.0.0-experimental-fbe27f8 || >=1.3.1-next.0
      Depends on vulnerable versions of @forge/cli-shared
      Depends on vulnerable versions of @forge/csp
      Depends on vulnerable versions of @forge/manifest
      node_modules/@forge/cli/node_modules/@forge/lint
    @forge/csp  <=0.0.0-experimental-f85f9b1 || >=1.7.0-next.0
    Depends on vulnerable versions of cheerio
    node_modules/@forge/cli/node_modules/@forge/csp
    @forge/manifest  <=0.0.0-experimental-fbe27f8 || >=2.3.1-next.0
    Depends on vulnerable versions of cheerio
    node_modules/@forge/cli/node_modules/@forge/manifest

micromatch  <4.0.8
Severity: moderate
Regular Expression Denial of Service (ReDoS) in micromatch - https://github.com/advisories/GHSA-952p-6rrq-rcjv
fix available via `npm audit fix`
node_modules/@forge/cli/node_modules/micromatch

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install @forge/cli@1.5.0, which is a breaking change
node_modules/@forge/cli/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/@forge/cli/node_modules/cheerio/node_modules/css-select

path-to-regexp  <=0.1.11
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
path-to-regexp contains a ReDoS - https://github.com/advisories/GHSA-rhx6-c78j-4q9w
fix available via `npm audit fix`
node_modules/@forge/cli/node_modules/path-to-regexp

send  <0.19.0
send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
fix available via `npm audit fix`
node_modules/@forge/cli/node_modules/send
  serve-static  <=1.16.0
  Depends on vulnerable versions of send
  node_modules/@forge/cli/node_modules/serve-static

serialize-javascript  6.0.0 - 6.0.1
Severity: moderate
Cross-site Scripting (XSS) in serialize-javascript - https://github.com/advisories/GHSA-76p7-773f-r4q5
fix available via `npm audit fix`
node_modules/@forge/cli/node_modules/serialize-javascript


tar-fs  2.0.0 - 2.1.2
Severity: high
tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File - https://github.com/advisories/GHSA-pq67-2wwv-3xjx
tar-fs can extract outside the specified dir with a specific tarball - https://github.com/advisories/GHSA-8cj5-5rvv-wf4v
fix available via `npm audit fix`
node_modules/@forge/cli/node_modules/tar-fs

webpack-dev-middleware  <=5.3.3
Severity: high
Path traversal in webpack-dev-middleware - https://github.com/advisories/GHSA-wr3j-pwj9-hqq6
fix available via `npm audit fix`
node_modules/@forge/cli/node_modules/webpack-dev-middleware

webpack-dev-server  <=5.2.0
Severity: moderate
webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser - https://github.com/advisories/GHSA-9jgg-88mc-972h
webpack-dev-server users' source code may be stolen when they access a malicious web site - https://github.com/advisories/GHSA-4v9v-hfq4-rm2v
fix available via `npm audit fix --force`
Will install @forge/cli@1.5.0, which is a breaking change
node_modules/@forge/cli/node_modules/webpack-dev-server

ws  7.0.0 - 7.5.9 || 8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via `npm audit fix`
node_modules/@forge/cli/node_modules/webpack-dev-server/node_modules/ws
node_modules/@forge/cli/node_modules/ws

ChrisWilliams · June 19, 2025, 8:35am

I’ll follow-up within the team. We run a security scanner which may at times have different results from npm audit or yarn audit based on internal judgements. However I won’t rule out a configuration issue and I have raised a critical-level internal vulnerability ticket. Thanks for the report.

marc · June 19, 2025, 8:43am

@ChrisWilliams There’s also https://jira.atlassian.com/browse/ECO-712