Security: cacheable-request should be updated on the 11.x.x version

[yoavain]

Describe the bug

Got version 11.8.6 uses a vulnerable version of cacheable-request:
https://github.com/jaredwray/cacheable-request/security/advisories/GHSA-8x6c-cv3v-vp6g

Seems that version 10.2.7 of cacheable-request has a fix.
The GitHub repo still doesn't show that release, but npmjs repo has it

[yoavain]

Seems from the code, that it's not a simple dependency update. It requires a backport of some changes from the main branch (12.x).
Unfortunately, many projects that use 11.8.6 are unable to upgrade to the 12.x version

[arnulfojr]

Looks like cacheable-request dropped support for v8 at EOY 2022. Sadly, v8 was the last version supporting CJS, that means that it might actually be really hard to pull the actual fix on got's 11.8.x ...

https://github.com/jaredwray/cacheable-request/blob/main/SECURITY.md

I reached out in https://github.com/jaredwray/cacheable-request to see if it's possible to have that fix in a CJS version of the package... maybe that simplifies/unblocks(?) the adoption.

[dscalzi]

Upgrading cacheable-request from v7 to v8 in got 11 should fix the issue.

Edit: I did not check the package.json of v7 since the oldest code on github for that library is v8. From subsequent comments, v7's semver range is the same as v8. The advisory should really be deleted.

[yukha-dw]

I don't think this is really a vulnerability?
got v11.8.6 use cacheable-request ^7.0.2, which requires http-cache-semantics ^4.0.0 (there is a caret there, including the fix v4.1.1)

got/package.json

Line 51 in 2b1482c

"cacheable-request": "^7.0.2",

https://github.com/jaredwray/cacheable-request/blob/635f3698f9eaa3fe93e46d82f398efd970852de7/package.json#L34

Maybe the security alert will be dismissed after this PR
github/advisory-database#1693

[dscalzi]

The security advisory was withdrawn, so this should be closed.