From a0a31ad48c909592efd6fa85deb75edebf7e22d4 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <dependabot[bot]@users.noreply.github.com>
Date: Mon, 15 Oct 2018 09:37:03 +0200
Subject: [PATCH] [Security] Bump sshpk from 1.13.1 to 1.15.1 (#63)

Bumps [sshpk](https://github.com/joyent/node-sshpk) from 1.13.1 to 1.15.1. **This update includes security fixes.**
<details>
<summary>Vulnerabilities fixed</summary>

*Sourced from [The Sonatype OSS Index](https://ossindex.sonatype.org/vuln/fc393f9f-282f-4bc9-953b-d7e4b48352e9).*

> **CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')**
> The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
>
> Affected versions: <1.14.1

*Sourced from The GitHub Vulnerability Alert Database.*

> **CVE-2018-3737**
> See https://nvd.nist.gov/vuln/detail/CVE-2018-3737.
>
> Affected versions: < 1.13.2

*Sourced from [The Node Security Working Group](https://github.com/nodejs/security-wg/blob/master/vuln/npm/401.json).*

> **Denial of Service**
> `sshpk` is vulnerable to ReDoS when parsing crafted invalid public keys
>
> Affected versions: <=1.13.1

</details>
<details>
<summary>Release notes</summary>

*Sourced from [sshpk's releases](https://github.com/joyent/node-sshpk/releases).*

> ## v1.14.1
>  * Remove all remaining usage of jodid25519 (abandoned dep)
>  * Add support for DNSSEC key format
>  * Add support for Ed25519 keys in PEM format (according to draft-curdle-pkix)
>  * Fixes for X.509 encoding issues (asn.1 NULLs in RSA certs, cert string type mangling)
>  * Performance issues parsing long SSH public keys
</details>
<details>
<summary>Commits</summary>

- [`2ab4f2a`](https://github.com/joyent/node-sshpk/commit/2ab4f2a018766559252f2c3426a3735f0860ac0d) joyent/node-sshpk#56 md5 fingerprints not quite right
- [`026ef47`](https://github.com/joyent/node-sshpk/commit/026ef4764a55648dd15f45f7f14ff9da5d1fe2ad) joyent/node-sshpk#53 stop using optional deps to fix webpack
- [`53e23fe`](https://github.com/joyent/node-sshpk/commit/53e23feff41226826b45293bc4a9fc45f2e44afe) joyent/node-sshpk#50 Support PKCS#5 AES-256-CBC encrypted private keys
- [`6b68d49`](https://github.com/joyent/node-sshpk/commit/6b68d49abc7876d81cfa2f3947024f4a84c21a94) joyent/node-sshpk#54 want API for accessing x509 extensions
- [`1088992`](https://github.com/joyent/node-sshpk/commit/10889924a536c3e3a839c00a31727d60f6d55756) joyent/node-sshpk#52 Buffer no longer performs length check for hex strings i...
- [`6ec6f9d`](https://github.com/joyent/node-sshpk/commit/6ec6f9db719dabcfaf1771dffcaff8aa56077b88) joyent/node-sshpk#38 want support for more obscure DN OIDs
- [`1cc4c99`](https://github.com/joyent/node-sshpk/commit/1cc4c99dc6ebeb4c6be46fa56e3ec70086f19c49) joyent/node-sshpk#51 package.json repository does not point to Joyent
- [`175758a`](https://github.com/joyent/node-sshpk/commit/175758a9473523409339e6c519c470c808ca03de) joyent/node-sshpk#46 Use Buffer.(from|alloc) instead of deprecated Buffer API
- [`6edb37c`](https://github.com/joyent/node-sshpk/commit/6edb37cb986b7ddaf0d346440d37287cc059bfee) Release 1.14.0
- [`46065d3`](https://github.com/joyent/node-sshpk/commit/46065d38a5e6d1bccf86d3efb2fb83c14e3f9957) joyent/node-sshpk#44 Performance issues parsing long SSH public keys
- Additional commits viewable in [compare view](https://github.com/joyent/node-sshpk/compare/v1.13.1...v1.15.1)
</details>
<br />

[![Dependabot compatibility score](https://api.dependabot.com/badges/compatibility_score?dependency-name=sshpk&package-manager=npm_and_yarn&previous-version=1.13.1&new-version=1.15.1)](https://dependabot.com/compatibility-score.html?dependency-name=sshpk&package-manager=npm_and_yarn&previous-version=1.13.1&new-version=1.15.1)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

Dependabot will **not** automatically merge this PR because it includes a minor update to a production dependency.

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

</details>
---
 yarn.lock | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/yarn.lock b/yarn.lock
index 010d4ca5..37260087 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -2731,7 +2731,7 @@ safe-regex@^1.1.0:
   dependencies:
     ret "~0.1.10"
 
-"safer-buffer@>= 2.1.2 < 3":
+"safer-buffer@>= 2.1.2 < 3", safer-buffer@^2.0.2:
   version "2.1.2"
   resolved "https://registry.yarnpkg.com/safer-buffer/-/safer-buffer-2.1.2.tgz#44fa161b0187b9549dd84bb91802f9bd8385cd6a"
 
@@ -2913,17 +2913,17 @@ sprintf-js@~1.0.2:
   resolved "https://registry.yarnpkg.com/sprintf-js/-/sprintf-js-1.0.3.tgz#04e6926f662895354f3dd015203633b857297e2c"
 
 sshpk@^1.7.0:
-  version "1.13.1"
-  resolved "https://registry.yarnpkg.com/sshpk/-/sshpk-1.13.1.tgz#512df6da6287144316dc4c18fe1cf1d940739be3"
+  version "1.15.1"
+  resolved "https://registry.yarnpkg.com/sshpk/-/sshpk-1.15.1.tgz#b79a089a732e346c6e0714830f36285cd38191a2"
   dependencies:
     asn1 "~0.2.3"
     assert-plus "^1.0.0"
-    dashdash "^1.12.0"
-    getpass "^0.1.1"
-  optionalDependencies:
     bcrypt-pbkdf "^1.0.0"
+    dashdash "^1.12.0"
     ecc-jsbn "~0.1.1"
+    getpass "^0.1.1"
     jsbn "~0.1.0"
+    safer-buffer "^2.0.2"
     tweetnacl "~0.14.0"
 
 stack-utils@^1.0.1: