mailauth depends an a package with a known security vulnerability (undici)

postalsys / mailauth

Command line utility and a Node.js library for email authentication

Other

127 stars 10 forks source link

mailauth depends an a package with a known security vulnerability (undici) #46

Closed augjoh closed 12 months ago

augjoh commented 12 months ago

mailauth depends an a package with a known security vulnerability.

# npm audit report

undici  <5.26.2
Undici's cookie header not cleared on cross-origin redirect in fetch - https://github.com/advisories/GHSA-wqq4-5wpv-mx2g
fix available via `npm audit fix --force`
Will install mailauth@4.5.0, which is a breaking change
node_modules/undici
  mailauth  >=4.5.1
  Depends on vulnerable versions of undici
  node_modules/mailauth

Steps to reproduce the behavior:

npm install mailauth && npm audit

andris9 commented 12 months ago

This vulnerabilty does not apply the slightest in the context of Mailauth. But I’ll bump the dependency version anyway.