alex transitively depends on got that has a security problem

[julienw]

Subject of the issue

Here is the details of this security advisory:
Got allows a redirect to a UNIX socket
Package: got
Patched in: >=11.8.5
Path: alex > update-notifier > latest-version > package-json > got
More info: https://www.npmjs.com/advisories/1080920

My understanding is that package-json doesn't use the option followRedirect and therefore isn't vulnerable to this issue. Still having to look at this manually is painful, and it would be much easier if alex could update its dependency to update-notifier (they upgraded the bad dependency in yeoman/update-notifier#222).

Thanks

[wooorm]

It’s not an issue. Microsoft/GitHub/npm is lying to you: https://overreacted.io/npm-audit-broken-by-design/.

[julienw]

Note that that's exactly what I wrote.
However having that every user look at the potentially offending code themselves is more work than just upgrading once and for alll the dependency in alex.
Let's remember that alex gets run on the developer machine, therefore security issues can still be real issues even though it's "just" a development dependency.

[wooorm]

It’s a lot of work for me to maintain lots of packages.

My point isn‘t about development dependencies. This particular vulnerability is not a vulnerability for users of alex.

[julienw]

I can suggest to set up a service such as depfu.com, this has been a great help in our project to manage dependencies.

Also I'd be happy to do PRs to update dependencies in these cases too, given I'm the one who cares about that.