search

kevva / download

Download and extract files
MIT License
1.28k stars 200 forks source link

Npm audit failure via older version of got #224

Open wbt opened 2 years ago

wbt commented 2 years ago

npm audit is failing in packages that use this, reporting:

got <11.8.5 Severity: moderate Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97

The got package is currently specified here at version 8. That would have to be updated to at least 11.8.5 to resolve the audit failure.

apepper commented 2 years ago

@sindresorhus If I'm not mistaken, you merged the Bugfix in got in https://github.com/sindresorhus/got/pull/2047 which is awesome. download is a quite often used library (~3 million installs a week) that still relies on the older version of got. Since you EDIT: ~do~ might have write access to https://github.com/kevva/download could you upgrade got in download as well? That would be really great!

striezel commented 2 years ago

Since you do have write access to https://github.com/kevva/download could you upgrade got in download as well? That would be really great!

It would be great indeed. :)

However, sindresorhus does not have write access to this repository anymore, according to a comment he made on another issue. So he cannot upgrade got in download.

bbird5490 commented 2 years ago

So this will not get fixed?

What is a good alternative for this package?

mohit8285 commented 1 year ago

@wbt Hi Buddy, Temporary solution for ur problem is Go to ur package-lock.json file ("node_modules/download") and update ur ("got" module) version manually to 11.8.5 or 11.8.3 then Install NPM again. Same i did like as below code. It temporary fixed my problem

"node_modules/download": { "version": "8.0.0", "resolved": "https://registry.npmjs.org/download/-/download-8.0.0.tgz", "integrity": "sha512-ASRY5QhDk7FK+XrQtQyvhpDKanLluEEQtWl/J7Lxuf/b+i8RYh997QeXvL85xitrmRKVlx9c7eTrcRdq2GS4eA==", "dependencies": { "archive-type": "^4.0.0", "content-disposition": "^0.5.2", "decompress": "^4.2.1", "ext-name": "^5.0.0", "file-type": "^11.1.0", "filenamify": "^3.0.0", "get-stream": "^4.1.0", "got": "^11.8.3", "make-dir": "^2.1.0", "p-event": "^2.1.0", "pify": "^4.0.1" }, "engines": { "node": ">=10" } },

striezel commented 1 year ago

So this will not get fixed?

It doesn't look like it will get fixed. As things are now, this package has basicially been unmaintained for almost three years. :(

What is a good alternative for this package?

I saw other projects where this package was replaced by node-downloader-helper, but I do not know how good that alternative is.