Closed juniorp07 closed 12 months ago
Thanks for reporting this! We'll look into it asap. And I believe the link to the advisory board should have been https://github.com/advisories/GHSA-rc47-6667-2j5j (there was a ]
that should have been a j
).
This was fixed in commit https://github.com/Unleash/unleash-client-node/commit/7ebda1a999017aa38b45e48a0e8bc5ea73da0920
We pin http-cache-semantics to version 4.1.1
Description:
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library. Http-cache-semantics is a dependency stemming from make-fetch-happen@10.2.1
https://github.com/advisories/GHSA-rc47-6667-2]5j
Remediation:
Upgrade http-cache-semantics to version 4.1.1 or above.