Closed julianna-ciq closed 1 year ago
cacheable-request depends on http-cache-semantics, which contains an Inefficient Regular Expression Complexity in versions prior to 4.1.1 of that package.
The underlying issue is stemming from cacheable-request<4.1.1
, but it cacheable-request@7.0.2
seems to only specify http-cache-semantics^4.0.0
. You could probably upgrade http-cache-semantics
in your lockfile without upgrading cacheable-request
to receive the DoS fix, assuming that package follows semver closely.
This is an incorrect GHSA report, I've filed a PR to fix this in the advisory database https://github.com/github/advisory-database/pull/1703
I use @electron/get as a dependency, and I started failing audits for this issue: https://github.com/advisories/GHSA-8x6c-cv3v-vp6g
@electron/get
v2.02 usesgot
v11.8.5, which usescacheable-request
v7.0.2. Any version ofcacheable-request
below 10.2.7 is vulnerable to the above advisory. The latest version ofgot
, v12.5.3, references a safe version ofcacheable-request
, so updating thegot
dependency should also address this advisory.I tried using yarn resolutions to force
cacheable-request
to v10.2.7, and I got the following error messages:Request Can this package update to a non-vulnerable version of
got
orcacheable-request
?