5 moderate severity vulnerabilities

[kamilluc]

Hi, there are 5 security issues all of them related to "got" package.

npm audit report

got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - GHSA-pfrx-2q88-qq97
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
bundle-stats 0.12.0-beta.7 || >=1.3.0-alpha.0
Depends on vulnerable versions of update-notifier
node_modules/bundle-stats

So it would be great if you could update update-notifier package. I saw PR from almost year ago but it is still not completed. #2462

[vio]

thanks for creating the issue @kamilluc!

Aware of some old dependencies that are flagged by dependabot/renovate as having security issues, though they should not be as problematic since bundle-stats is a dev dependency. In general, I try to keep the dependencies up to date, but since the current major (v4) is still supporting node v14, it was not easy to upgrade some dependencies that migrated to esm (min node v16).

I am currently working on a new major (v5) and the supported node version will be v16. Will keep this issue open for reference and to get notified when v5 is ready

[github-actions]

This issue is stale because it has been open for 30 days with no activity.

[github-actions]

This issue is stale because it has been open for 90 days with no activity.

[github-actions]

This issue was closed because it has been inactive for 30 days since being marked as stale.

[github-actions]

This issue is stale because it has been open for 90 days with no activity.

[github-actions]

This issue is stale because it has been open for 90 days with no activity.