Dependabot alerts: Got allows a redirect to a UNIX socket

[el3um4s]

This warning appears in my projects:

Dependabot alerts: Got allows a redirect to a UNIX socket

The latest possible version that can be installed is 9.6.0 because of the following conflicting dependencies:

electron@19.0.6 requires got@^9.6.0 via @electron/get@1.14.1
electron-builder@23.1.0 requires got@^9.6.0 via a transitive dependency on package-json@6.5.0
nodemon@2.0.18 requires got@^9.6.0 via a transitive dependency on package-json@6.5.0

Is there anything that can be done?

[shellatomic]

Could anyone help me to fix this issue: Open Redirect [Medium Severity][https://snyk.io/vuln/SNYK-JS-GOT-2932019] in got@9.6.0 introduced by @electron/get@1.14.1 > got@9.6.0 and 1 other path(s) This issue was fixed in versions: 11.8.5, 12.1.

[malept]

In my opinion this is not a high priority for @electron/get. In order to trigger this, it needs to either hijack the user's DNS or their environment variables. If either of those conditions happen, you have larger problems and the attacker might as well do other, less convoluted attacks.

That being said, it will eventually get fixed. However, due to the major version bump of got (which increases the minimum Node.js version), this will not affect any currently released version of the electron npm module, as changing the minimum Node.js version (even transitively) is considered a major breaking change.

[kayahr]

It would be nice to get this fixed by applying the already existing PR. I use Electron in a lot of my projects and it is a bit annoying to get audit warnings from NPM and from Github's dependabot all the time because of this got issue.

In my opinion it is not a good practice to rely on old dependencies which seems to be no longer supported upstream. If you have strong reasons to stay at version 9 then maybe ask the author of got to publish a new patched version 9 to get this issue out of the way?

[loukamb]

This is an incredibly annoying problem. The warning alone is an annoyance, but it becomes more annoying when your project's release was needlessly delayed because senior developers from the other team thought npm's warnings in the CI/CD logs implied your codebase was vulnerable. I don't know if the above PR fixed this issue but even on the latest versions of electron and electron-builder the warning is still present.

[kayahr]

Looks like this problem is already fixed since @electron/get v2 which is used in electron v22. Problem is, electron 22 is not yet released (but installable with npm i electron@beta). So we just have to wait. There is nothing else to do.

And I guess this ticket can be closed.