Backport the recent security fix to 3.x

[LinusU]

We are using version 3.x of simple-get in canvas and cannot upgrade to 4.x without making it a breaking change since we still support Node.js 6.x.

@feross would it be possible to have the patch back ported to the 3.x release line?

I can submit a PR if you create a 3.x branch from abdcdb3.

Thanks!

[webmaster128]

That would be great because simple-get ^3.0.3 is a transitive dependency of other packages, like prebuild-install v5 and v6.

[smokhov]

Looks like there is a backport for 2.x.x in PR #75 , I would surmise a fix here would be very similar. I hope we get some traction here.

[DraftProducts]

I think that you can already make your pull request @LinusU, so that feross just have to approve and merge the stuff.

[feross]

@LinusU I gave you access to this package on GitHub and npm to help handle these security fixes. Appreciate it!

[LinusU]

I've cherry-picked the fix and released 3.1.1 and 2.8.2 🚀

[SimenB]

Thanks! Somebody has poked the powers that be so GHSA-wpg7-2c88-r8xv get updated with the new fixed versions?

[LinusU]

Unfortunately I have no idea how to do that, would love to get to know how though ☺️

[webmaster128]

I've cherry-picked the fix and released 3.1.1 and 3.8.2 🚀

Amazing, thanks.

For the record: the last version number is a typo and needs to be 2.8.2. See also versions tab in https://www.npmjs.com/package/simple-get.