fix(deps): bump got from 8.x.x to 11.8.2 [security] CVE-2021-33502

kevva / download

Download and extract files

MIT License

1.28k stars 200 forks source link

fix(deps): bump got from 8.x.x to 11.8.2 [security] CVE-2021-33502 #215

Closed wejendorp closed 3 years ago

wejendorp commented 3 years ago

Removes dependency on normalize-url@2 through got > cacheable-request, as referenced in https://github.com/advisories/GHSA-px4h-xg32-q955

BREAKING CHANGE: got@11 requires node 14.16. Node 10/12 is no longer supported

wejendorp commented 3 years ago

@kevva do you think we can merge this? It would help fix a lot of "dependabot" items.

wejendorp commented 3 years ago

Upon closer inspection of normalize-url, I don't think it's actually vulnerable, and I will try to get the CVE changed to reflect that instead.

mikhail-g commented 11 months ago

Hey @wejendorp why not to merge this anyway? I'm still getting warnings on npm audit as CVE haven't updated

got  <=11.8.3
Severity: high
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
Depends on vulnerable versions of cacheable-request
fix available via `npm audit fix --force`
Will install download@3.3.0, which is a breaking change
node_modules/download/node_modules/got
  download  >=4.0.0
  Depends on vulnerable versions of got
  node_modules/download