'got' dependency is out of date

configcat / node-sdk

ConfigCat SDK for Node.js. ConfigCat is a hosted feature flag service: https://configcat.com. Manage feature toggles across frontend, backend, mobile, desktop apps. Alternative to LaunchDarkly. Management app + feature flag SDKs.

https://configcat.com/docs/sdk-reference/node

MIT License

19 stars 7 forks source link

'got' dependency is out of date #45

Closed jdstrand closed 2 years ago

jdstrand commented 2 years ago

Hi!

The got dependency is out of date. https://github.com/configcat/node-sdk/blob/master/package-lock.json#L13 is specifying 9.6.0 but https://github.com/advisories/GHSA-pfrx-2q88-qq97 lists the fix is in 11.8.5 or 12.1.0.

Thanks!

endret commented 2 years ago

Hi @jdstrand ,

Thank you for the report, we are starting the investigation. In the past, we have had an issue with the newest version of got ( #33 ).

Regards, Endre

z4kn4fein commented 2 years ago

Hello @jdstrand,

We released the version 8.0.0 from where we removed the dependency to got, so upgrading to it must solve the linked security issue.

Thanks!

jdstrand commented 2 years ago

Hello @jdstrand,

We released the version 8.0.0 from where we removed the dependency to got, so upgrading to it must solve the linked security issue.

Thanks for working on this! :)