There is a vulnerability in the "got" library that allows a redirect to a unix socket. This is failing NPM audit and other security scanning tools. The dependency comes from the "download" library, which hasn't been updated in two years.
It is possible to do npm audit --omit=dev, but this is slightly skirting the issue! Explicitly specifying the version of download or got doesn't seem to fix this issue, since NPM still looks at the dependency versions in the parent package.
Is it possible to get a fix that removes the dependency on the "download" library? (Or alternatively, get an update into the "download" library)?
# npm audit report
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install owasp-dependency-check@0.0.3, which is a breaking change
node_modules/download/node_modules/got
download >=4.0.0
Depends on vulnerable versions of got
node_modules/download
owasp-dependency-check >=0.0.4
Depends on vulnerable versions of download
node_modules/owasp-dependency-check
There is a vulnerability in the "got" library that allows a redirect to a unix socket. This is failing NPM audit and other security scanning tools. The dependency comes from the "download" library, which hasn't been updated in two years.
It is possible to do npm audit --omit=dev, but this is slightly skirting the issue! Explicitly specifying the version of download or got doesn't seem to fix this issue, since NPM still looks at the dependency versions in the parent package.
Is it possible to get a fix that removes the dependency on the "download" library? (Or alternatively, get an update into the "download" library)?