5 moderate severity vulnerabilities

[kamilluc]

Hi, there are 5 security issues all of them related to "got" package.

npm audit report

got <11.8.5 Severity: moderate Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97 fix available via npm audit fix --force Will install bundle-stats@1.2.3, which is a breaking change node_modules/got package-json <=6.5.0 Depends on vulnerable versions of got node_modules/package-json latest-version 0.2.0 - 5.1.0 Depends on vulnerable versions of package-json node_modules/latest-version update-notifier 0.2.0 - 5.1.0 Depends on vulnerable versions of latest-version node_modules/update-notifier bundle-stats 0.12.0-beta.7 || >=1.3.0-alpha.0 Depends on vulnerable versions of update-notifier node_modules/bundle-stats

So it would be great if you could update update-notifier package. I saw PR from almost year ago but it is still not completed. #2462

[vio]

thanks for creating the issue @kamilluc!

Aware of some old dependencies that are flagged by dependabot/renovate as having security issues, though they should not be as problematic since bundle-stats is a dev dependency. In general, I try to keep the dependencies up to date, but since the current major (v4) is still supporting node v14, it was not easy to upgrade some dependencies that migrated to esm (min node v16).

I am currently working on a new major (v5) and the supported node version will be v16. Will keep this issue open for reference and to get notified when v5 is ready

[github-actions[bot]]

This issue is stale because it has been open for 30 days with no activity.

[github-actions[bot]]

This issue is stale because it has been open for 90 days with no activity.

[github-actions[bot]]

This issue was closed because it has been inactive for 30 days since being marked as stale.

[github-actions[bot]]

This issue is stale because it has been open for 90 days with no activity.

[github-actions[bot]]

This issue is stale because it has been open for 90 days with no activity.