Open techterbium opened 1 year ago
Hi @techterbium ,
The "got" package is not a direct dependency of this project. So, you'll have to fix the security alert by pinning the dependency in your own package-lock.json
file in your repository.
Hi @javierbrea,
first of all: Thanks for this great work!
Just wanted to jump in here and note that the security warning still exists on fresh install of mocks-server/main
.
It appears that update-notifier
(up to v5.1.0) depends on vulnerable version of the got
package. And mocks-server/core
depends on v5.1.0 of update-notifier
.
There is a v6 of update-notifier
: https://github.com/yeoman/update-notifier/releases/tag/v6.0.0
We'd need to figure out if/how an upgrade to v6 affects mocks-server/core
.
Otherwise, there is an alternative v5 version that has no breaking changes and fixes the vulnerability. See here: https://github.com/yeoman/update-notifier/issues/218#issuecomment-1240204177 Perhaps switching to update-notifier-cjs
is an option?
Describe the bug Security warning by dependabot alert: The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.
To Reproduce happens on version 3.12.0
Expected behavior A clear and concise description of what you expected to happen.
Logs If applicable, add logs to help explain your problem.
Operating system, Node.js an npm versions, or browser version (please complete the following information):
Additional context Add any other context about the problem here.