New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
alex transitively depends on got
that has a security problem
#333
Comments
It’s not an issue. Microsoft/GitHub/npm is lying to you: https://overreacted.io/npm-audit-broken-by-design/. |
Note that that's exactly what I wrote. |
It’s a lot of work for me to maintain lots of packages. My point isn‘t about development dependencies. This particular vulnerability is not a vulnerability for users of alex. |
I can suggest to set up a service such as depfu.com, this has been a great help in our project to manage dependencies. Also I'd be happy to do PRs to update dependencies in these cases too, given I'm the one who cares about that. |
Subject of the issue
Here is the details of this security advisory:
Got allows a redirect to a UNIX socket
Package: got
Patched in: >=11.8.5
Path: alex > update-notifier > latest-version > package-json > got
More info: https://www.npmjs.com/advisories/1080920
My understanding is that package-json doesn't use the option
followRedirect
and therefore isn't vulnerable to this issue. Still having to look at this manually is painful, and it would be much easier if alex could update its dependency toupdate-notifier
(they upgraded the bad dependency in yeoman/update-notifier#222).Thanks
The text was updated successfully, but these errors were encountered: