Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability in got #6

Open
MatthewClark2 opened this issue Jul 18, 2022 · 6 comments
Open

Vulnerability in got #6

MatthewClark2 opened this issue Jul 18, 2022 · 6 comments

Comments

@MatthewClark2
Copy link

MatthewClark2 commented Jul 18, 2022
edited
Loading 

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/got

This is mostly an issue for downstream dependents. Considering that this is a breaking change, it may be easier to shuffle dependencies as mentioned in issue 5 and leave the issue for later.
@anton-x-t
Copy link

Hi!

I discovered this too.
@mattdesl can you pretty please update package.json from this:

"dependencies": {
    "got": "^9.2.2",
    ...
  },

to this:

"dependencies": {
    "got": "^11.8.6",
    ...
  },

And also run npm i or similar, so package-lock.json is updated.
And publish a new version.
This would be very neat :)

Thank you,
Anton

@mattdesl mattdesl mentioned this issue Sep 27, 2024
Merged
@mattdesl
Copy link
Contributor

mattdesl commented Sep 27, 2024
edited
Loading

I've just stripped the dependencies and moved it to devDependencies. A better solution might involve updating to a newer version of got but as I understand it, due to ESM imports, it would cause another major breaking change here. The bin doesn't seem to work anymore, anyways, the API returns 403 when fetched from node but works fine in the browser.

Unfortunately, I don't have write access to Experience-Monk (formally Jam3) repositories, so I created a PR:
#6

@njam3 perhaps you could give me bulk access to some of these? or we could migrate them to my account? otherwise you will have to keep maintaining them in step with my updates.

EDIT: I should add, that I've already published this new version on NPM, and now the github is out of step with npm until the PR is merged.

@mattdesl mattdesl mentioned this issue Sep 27, 2024
Open
@anton-x-t
Copy link

anton-x-t commented Sep 30, 2024
edited
Loading

@mattdesl Thank you very much for a quick response and explanations and fix!
Link to PR #7

@anton-x-t
Copy link

PR #7 now merged. Thank you! Dependency solved.

When you think you have the time, don't stress, the only thing left to fix for now is to update:

"devDependencies": {
    "got": "^9.2.2",
    ...
  },

to

"devDependencies": {
    "got": "^11.8.6",
    ...
  },

@mattdesl
Copy link
Contributor

mattdesl commented Oct 1, 2024

@anton-x-t I think the challenge with that is that it will involve a more dramatic overhaul of the code (going from CJS to ESM). I'm not sure it would be considered a breaking change at that point since the npm module won't change, but if you'd like to send a PR I am sure it could be updated to remove this vulnerability (which, BTW, only would be possible now in local dev).

@anton-x-t
Copy link

@mattdesl Thank you very much for explaining, alright. I can't do it now, if I have time and can I'll ask for permission to create a branch. Thank you very much again for resolving this so quickly!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mattdesl @anton-x-t @MatthewClark2