Security warning: Dependabot alert: Got allows a redirect to a UNIX socket

[techterbium]

Describe the bug Security warning by dependabot alert: The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.

To Reproduce happens on version 3.12.0

Expected behavior A clear and concise description of what you expected to happen.

Logs If applicable, add logs to help explain your problem.

Operating system, Node.js an npm versions, or browser version (please complete the following information):

• OS: [e.g. Ubuntu 18.04]
• Node.js: [e.g. 8.11.1]
• npm: [e.g. 5.6.0]
• Browser: [e.g. Chrome 73.0.3683]

Additional context Add any other context about the problem here.

[javierbrea]

Hi @techterbium , The "got" package is not a direct dependency of this project. So, you'll have to fix the security alert by pinning the dependency in your own package-lock.json file in your repository.

[FinnWoelm]

Hi @javierbrea,

first of all: Thanks for this great work!

Just wanted to jump in here and note that the security warning still exists on fresh install of mocks-server/main.

It appears that update-notifier (up to v5.1.0) depends on vulnerable version of the got package. And mocks-server/core depends on v5.1.0 of update-notifier.

https://github.com/mocks-server/main/blob/bf9dd81d142e796efe90f523aec8b271f0a645e3/packages/core/package.json#L60

There is a v6 of update-notifier: https://github.com/yeoman/update-notifier/releases/tag/v6.0.0

We'd need to figure out if/how an upgrade to v6 affects mocks-server/core.

Otherwise, there is an alternative v5 version that has no breaking changes and fixes the vulnerability. See here: https://github.com/yeoman/update-notifier/issues/218#issuecomment-1240204177 Perhaps switching to update-notifier-cjs is an option?