feross / simple-get

Simplest way to make http get requests. Supports HTTPS, redirects, gzip/deflate, streams in < 100 lines
MIT License
401 stars 50 forks source link

Backport the recent security fix to 3.x #74

Closed LinusU closed 2 years ago

LinusU commented 2 years ago

We are using version 3.x of simple-get in canvas and cannot upgrade to 4.x without making it a breaking change since we still support Node.js 6.x.

@feross would it be possible to have the patch back ported to the 3.x release line?

I can submit a PR if you create a 3.x branch from abdcdb32d0bb7707110a1ab39df99488330df1ee.

Thanks!

webmaster128 commented 2 years ago

That would be great because simple-get ^3.0.3 is a transitive dependency of other packages, like prebuild-install v5 and v6.

smokhov commented 2 years ago

Looks like there is a backport for 2.x.x in PR #75 , I would surmise a fix here would be very similar. I hope we get some traction here.

DraftProducts commented 2 years ago

I think that you can already make your pull request @LinusU, so that feross just have to approve and merge the stuff.

feross commented 2 years ago

@LinusU I gave you access to this package on GitHub and npm to help handle these security fixes. Appreciate it!

LinusU commented 2 years ago

I've cherry-picked the fix and released 3.1.1 and 2.8.2 πŸš€

SimenB commented 2 years ago

Thanks! Somebody has poked the powers that be so https://github.com/advisories/GHSA-wpg7-2c88-r8xv get updated with the new fixed versions?

LinusU commented 2 years ago

Unfortunately I have no idea how to do that, would love to get to know how though ☺️

webmaster128 commented 2 years ago

I've cherry-picked the fix and released 3.1.1 and 3.8.2 πŸš€

Amazing, thanks.

For the record: the last version number is a typo and needs to be 2.8.2. See also versions tab in https://www.npmjs.com/package/simple-get.