-
-
Notifications
You must be signed in to change notification settings - Fork 935
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security: cacheable-request should be updated on the 11.x.x version #2220
Comments
Seems from the code, that it's not a simple dependency update. It requires a backport of some changes from the main branch (12.x). |
Looks like cacheable-request dropped support for v8 at EOY 2022. Sadly, v8 was the last version supporting CJS, that means that it might actually be really hard to pull the actual fix on got's 11.8.x ... https://github.com/jaredwray/cacheable-request/blob/main/SECURITY.md I reached out in https://github.com/jaredwray/cacheable-request to see if it's possible to have that fix in a CJS version of the package... maybe that simplifies/unblocks(?) the adoption. |
Edit: I did not check the package.json of v7 since the oldest code on github for that library is v8. From subsequent comments, v7's semver range is the same as v8. The advisory should really be deleted. |
I don't think this is really a vulnerability? Line 51 in 2b1482c
https://github.com/jaredwray/cacheable-request/blob/635f3698f9eaa3fe93e46d82f398efd970852de7/package.json#L34 Maybe the security alert will be dismissed after this PR |
The security advisory was withdrawn, so this should be closed. |
Describe the bug
Got version 11.8.6 uses a vulnerable version of cacheable-request:
https://github.com/jaredwray/cacheable-request/security/advisories/GHSA-8x6c-cv3v-vp6g
Seems that version 10.2.7 of cacheable-request has a fix.
The GitHub repo still doesn't show that release, but npmjs repo has it
The text was updated successfully, but these errors were encountered: