Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerability in got@9.6.0 #2067

Closed
1 of 2 tasks
lorand-horvath opened this issue Jun 23, 2022 · 6 comments
Closed
1 of 2 tasks

Security vulnerability in got@9.6.0 #2067

lorand-horvath opened this issue Jun 23, 2022 · 6 comments

Comments

@lorand-horvath
Copy link

lorand-horvath commented Jun 23, 2022
edited

Describe the bug

  • Node.js version: 12.22.12
  • OS & version: Win 7 x64

Actual behavior

Security vulnerability reported in got@9.6.0
https://nvd.nist.gov/vuln/detail/CVE-2022-33987
GHSA-pfrx-2q88-qq97

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install nodemon@1.3.3, which is a breaking change
node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  >=0.2.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier
        nodemon  >=1.3.5
        Depends on vulnerable versions of update-notifier
        node_modules/nodemon

5 moderate severity vulnerabilities

...

Expected behavior

Please backport the fix 861ccd9 to got 9.x
...

Code to reproduce

...

Checklist

  • I have read the documentation.
  • I have tried my code with the latest version of Node.js and Got.
This was referenced Jun 23, 2022
Closed
Closed
Closed
@szmarczak
Copy link
Collaborator

We don't support got@9.6.0 anymore.

@lorand-horvath
Copy link
Author

@szmarczak Thanks for replying. It looks like nodemon will go with a different implementation remy/nodemon#2033

@szmarczak
Copy link
Collaborator

szmarczak commented Jun 25, 2022
edited

Sorry, I don't follow. What has nodemon to do with Got? What implementation? Your issue is a request not a bug report.

@Trim
Copy link

Trim commented Jun 27, 2022

Sorry, I don't follow. What has nodemon to do with Got? What implementation? Your issue is a request not a bug report.

FYI, nodemon is depending on got through this dependency chain (as written in the npm audit report in this issue description):

nodemon@>=1.3.5 <- update-notifier@>=0.2.0 <- latest-version@(0.2.0 - 5.1.0) <- got@<=6.5.0

We have to check all the dependency chain to know which dependency should update its sub-dependencies.

So, for got, there's nothing to do as you say the version 6 is deprecated and the github advisory shows there's already patched version existing.

@lorand-horvath
Copy link
Author

@szmarczak As @Trim said above, nodemon depends on update-notifier@5.1.0 which further depends on the vulnerable got@9.6.0.
The nodemon developer tried to bump update-notifier@6.0.0 in remy/nodemon#2029 but run into issues due to the ESM-only nature of the newer packages. If update-notifier@6 would have had a CommonJS build available, the vulnerability would have been solved with the automatic bump in the transient dependency to got@12.
Since only got@11 received the backport to fix the vulnerability, I thought the entire issue of nodemon would be easily solved with a backport to got@9.

So it seems the only solution for nodemon is to drop update-notifier and implement another CJS solution. for example remy/nodemon#2033 or remy/nodemon#2035

@Axent96
Copy link

Axent96 commented Jun 28, 2022

related to remy/nodemon#2040

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Trim @Axent96 @szmarczak @lorand-horvath