AlonNavon
commented
1 year ago Hey @abejfehr ,
We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We just created a got 6.7.1-sp1 that solves the same CVE-2022-33987 and we're going to upload it tomorrow to our open-source repository. Like all our patches, it's completely free to use and open-source.
If you want us to make a vulnerability-free version of 8.3.2, which is what this library appears to be using, feel free to reach us at info@seal.security.
There's some vulnerabilities in got (CVE-2022-33987) and http-cache-semantics (CVE-2022-25881), which are transitive dependencies of this package:
It looks like neither download nor bin-wrapper (both by the same user) are maintained anymore and were last published a really long time ago.
Would it be possible to find an alternative for this functionality to mitigate these vulnerabilities?