Upgrade node-forge to 0.10.0 - in 2.0.4 release

[kidplug]

In light of new advisory:

High │ Prototype Pollution in node-forge
https://npmjs.com/advisories/1561

[kidplug]

Current package.json:

  "dependencies": {
    "node-forge": "^0.9.0"
  },

Semantic versioning for major "0" ignores the caret ^ :(

[kidplug]

Closed, won't do?

[sofisl]

I'm sorry, premature close! I was confused by the PR earlier.

[kidplug]

This doesn't fix the issue in the google-p12-pem@2.0.4 release

[stephenplusplus]

My PR unintentionally closed this issue. I don't know if we want to go back and address this in the 2.0.0 release-- are you unable to upgrade to ^3.0?

[kidplug]

We'd prefer to not upgrade all these libs at this time.
The dependency tree is this:

└─┬ @google-cloud/speech@3.6.0
  └─┬ @google-cloud/common@2.4.0
    └─┬ google-auth-library@5.10.1
      └─┬ gtoken@4.1.4
        └─┬ google-p12-pem@2.0.4
          └── node-forge@0.9.2

As far as I can tell, 3.6.0 is still a "current" release of google cloud speech; likewise for all the other packages shown.
The only package in that last which is not a "current" release is node-forge.

I would expect any "current" releases to apply dependency upgrades when a "HIGH" npm advisory is issued:
High │ Prototype Pollution in node-forge
https://npmjs.com/advisories/1561

[stephenplusplus]

I'm currently working through a similar tree here: googleapis/nodejs-logging#904 (comment). Eventually, Speech (the ^4.x releases) will get a new release once the others are updated.

cc @bcoe @JustinBeckwith for the concerns regarding the release process.

[stephenplusplus]

@kidplug Going back in a previous release line to make the fix is possible, but ideally, you could upgrade to make sure you're protected going forward. Is there anything we can do to help the upgrade process? Did the change to speech@4 involve any breaking changes that are difficult to include in your app/environment?

[kidplug]

I'll try the google speech v4 upgrade. Initially testing seems fine.

[bcoe]

@kidplug did the upgrade go okay for you? I'm debating today whether or not we need to back-port fixes to the 5.x version of auth.

[kidplug]

Yes, our application ran fine on the upgraded speech library. Planning to commit the upgrade in our upcoming release.

[staadecker]

@bcoe I would personally would really enjoy a back-port fix to at least 2.0.2 since the firebase-tools package depends on 2.0.2 and isn't able to update to the latest version (see here, they don't want to drop support to Node 8). A back-port to versions 2.0.2 and 2.0.4 would resolve the issue. firebase-tools has over 1 million monthly downloads.

Thank you!

[sofisl]

@bcoe, given that this would involve back-porting a fix, and that we are not currently (though we do plan to) provide ongoing support to these versions in the future, I'm relabeling this issue as a process. We can (eventually) try out Java's new tooling for these types of requests.

[chingor13]

Backported to v2.0.5 in #345