Security Vulnerability: CVE-2022-33987 - update-notifier/latest-version/package-json dependency

[drbobbeaty]

• Versions: node@v16.13.1, darwin@21.5.0
• nodemon -v:
• Operating system/terminal environment (powershell, gitshell, etc): macOS
• Using Docker? What image: --
• Command you ran: npm audit

Expected behaviour

Not to have a Security Vulnerability: CVE-2022-33987

Actual behaviour

Security Vulnerability

Steps to reproduce

---

If applicable, please append the --dump flag on your command and include the output here ensuring to remove any sensitive/personal details or tokens.

[remy]

Please check issues before filing. Thank you!

[drbobbeaty]

@remy I don't mean to be annoying, but I'm looking at the npm audit from my project, and it's reporting - rightly, or wrongly:

  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier
        nodemon  >=1.3.5
        Depends on vulnerable versions of update-notifier
        node_modules/nodemon

And I get that nodemon 2.0.18 is the latest, but as I read the package.json of that tagged version, it's on update-notifier ver 5.1.0, which is still vulnerable.

Are you saying that 2.0.18 doesn't have the dependency issue that's being reported? That would be great! But I did look at the dependencies of each of these projects, and package-json has been updated to use a patched version of got... but latest-version and update-notifier have not... at least not in the repos.

Again, I'm sorry if I'm restating the obvious that you've already handled...

[remy]

No problem - have a read here - #2033 (comment) - hopefully it gives some insights but also how it's being addressed.