High npm vulnerability - Githubissues

kevva / download

Download and extract files

MIT License

1.28k stars 199 forks source link

High npm vulnerability #216

Closed XhmikosR closed 3 years ago

XhmikosR commented 3 years ago

High            Regular Expression Denial of Service

  Package         normalize-url

  Patched in      >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1

  Dependency of   hugo-bin [dev]

  Path            hugo-bin > bin-wrapper > download > got > cacheable-request
                  > normalize-url

  More info       https://npmjs.com/advisories/1755

@sindresorhus Haven't looked into the details of this package, but I take it that updating got alone would need a major version bump?

Fgerthoffert commented 3 years ago

If useful to anyone, a simple file download can be replaced with this

import * as fetch from 'node-fetch';
import * as util from 'util';
import { pipeline } from 'stream';

...

const streamPipeline = util.promisify(pipeline);
const response = await fetch(url, options);
await streamPipeline(response.body, fs.createWriteStream(job.filepath));

XhmikosR commented 3 years ago

Hmm, it doesn't seem to be flagged anymore for some reason.