search

mapbox / mapbox-gl-geocoder

Geocoder control for mapbox-gl-js using Mapbox Geocoding API
https://mapbox.com/mapbox-gl-js/example/mapbox-gl-geocoder/
ISC License
368 stars 180 forks source link

Transitive dependency on vulnerable got version #471

Open erpankajsingla opened 2 years ago

erpankajsingla commented 2 years ago

@mapbox/mapbox-gl-geocoder@5.0.1 requires got@^10.7.0 via a transitive dependency on @mapbox/mapbox-sdk@0.13.3.

The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket. https://security.snyk.io/package/npm/got

Updating @mapbox/mapbox-sdk to version 0.13.5 should resolve the issue since it uses got@^11.8.5.

mantasmatuzas commented 2 years ago

I'm also waiting for it to be fixed.