Security warning: Dependabot alert: Got allows a redirect to a UNIX socket
techterbium opened this issue · 2 comments
Describe the bug
Security warning by dependabot alert: The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.
To Reproduce
happens on version 3.12.0
Expected behavior
A clear and concise description of what you expected to happen.
Logs
If applicable, add logs to help explain your problem.
** Operating system, Node.js an npm versions, or browser version (please complete the following information):**
- OS: [e.g. Ubuntu 18.04]
- Node.js: [e.g. 8.11.1]
- npm: [e.g. 5.6.0]
- Browser: [e.g. Chrome 73.0.3683]
Additional context
Add any other context about the problem here.
Hi @techterbium ,
The "got" package is not a direct dependency of this project. So, you'll have to fix the security alert by pinning the dependency in your own package-lock.json file in your repository.
Hi @javierbrea,
first of all: Thanks for this great work!
Just wanted to jump in here and note that the security warning still exists on fresh install of mocks-server/main.
It appears that update-notifier (up to v5.1.0) depends on vulnerable version of the got package. And mocks-server/core depends on v5.1.0 of update-notifier.
main/packages/core/package.json
Line 60 in bf9dd81
There is a v6 of update-notifier: https://github.com/yeoman/update-notifier/releases/tag/v6.0.0
We'd need to figure out if/how an upgrade to v6 affects mocks-server/core.
Otherwise, there is an alternative v5 version that has no breaking changes and fixes the vulnerability. See here: yeoman/update-notifier#218 (comment) Perhaps switching to update-notifier-cjs is an option?