OWASP depdency check fails npm audit

[martin-traverse]

There is a vulnerability in the "got" library that allows a redirect to a unix socket. This is failing NPM audit and other security scanning tools. The dependency comes from the "download" library, which hasn't been updated in two years.

It is possible to do npm audit --omit=dev, but this is slightly skirting the issue! Explicitly specifying the version of download or got doesn't seem to fix this issue, since NPM still looks at the dependency versions in the parent package.

Is it possible to get a fix that removes the dependency on the "download" library? (Or alternatively, get an update into the "download" library)?

# npm audit report

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install owasp-dependency-check@0.0.3, which is a breaking change
node_modules/download/node_modules/got
  download  >=4.0.0
  Depends on vulnerable versions of got
  node_modules/download
    owasp-dependency-check  >=0.0.4
    Depends on vulnerable versions of download
    node_modules/owasp-dependency-check

[centi]

I replaced the library with a different one. The new version 0.0.19 shoudl now be with 0 vulnerabilities.