erickzhao
commented
1 year ago Duplicate of https://github.com/electron/get/issues/242
"http-cache-semantics": "^4.0.0" is not tied to the vulnerable version. 4.1.1 is compliant with ^4.0.0.
Closed nabchar closed 1 year ago
erickzhao
commented
1 year ago Duplicate of https://github.com/electron/get/issues/242
"http-cache-semantics": "^4.0.0" is not tied to the vulnerable version. 4.1.1 is compliant with ^4.0.0.
Snyk lists
http-cache-semanticsas having a Regular Expression Denial of Service (ReDoS) security vulnerability for any versions prior to4.1.1. Read here for more info.In this package, the dependency on
"got": "^11.8.5"internally has a dependency on"cacheable-request": "^7.0.2", which in turn has a dependency on"http-cache-semantics": "^4.0.0"-- which is tied to a minor version that has the security vulnerability mentioned above.