lighthouse-ci
lighthouse-ci copied to clipboard
GoogleChrome
`got` has security vulnerability
The [email protected] package (that has been indirectly referenced in this repository) contains a "Moderate" security vulnerability - see https://github.com/advisories/GHSA-pfrx-2q88-qq97.
The vulnerability has been fixed in a later version i.e. [email protected] (or higher).
Here is the output of the npm why command ran on a repo containing the @lhci/[email protected] - that shows the dependency tree of how the got package is being imported into this package:
$ npm why got
[email protected]
node_modules/got
got@"^9.6.0" from [email protected]
node_modules/package-json
package-json@"^6.3.0" from [email protected]
node_modules/latest-version
latest-version@"^5.0.0" from [email protected]
node_modules/update-notifier
update-notifier@"^3.0.1" from @lhci/[email protected]
node_modules/@lhci/cli
@lhci/cli@"^0.9.0" from the root project
Consider upgrading the update-notifier package to 6.0.2 or the latest version.
Or as per issue https://github.com/GoogleChrome/lighthouse/issues/13453 consider merging PR #756 where the update-notifier package is being removed.
#756 has been merged. Oddly, npm has @lhci/[email protected], but the latest in this repo is 0.1.0 and the last time that line was changed was 3 years ago. I don't think this repo is where the package is getting published from despite the repository URL in the package.json.
#756 has been merged.
@jamesarosen - Thank you for merging the PR. I will wait for the next release into the npm registry before marking this issue as "Closed".
Oddly, npm has
@lhci/[email protected], but the latest in this repo is0.1.0and the last time that line was changed was 3 years ago. I don't think this repo is where the package is getting published from despite therepositoryURL in thepackage.json.
@jamesarosen - I am not a contributor on this repository - so I am not entirely familiar with the release process for this repository. Normally, I would agree with you. However, I noticed that the release process has been creating tags in this repository corresponding to the versions being published into the npm registry. This repository contains an npm workspace - that houses 4 projects / packages - see this folder. I am guessing that the release process is missing the step to increment the version numbers within each of the 4 package.json files (before the npm publish step). For example:
The GitHub tag v0.9.0 appears to be published as the following npm packages:
I hope this gets a release soon. lhci/cli is the only package in our project that has any vulnerabilities - always disappointing to see the orange npm message popping up that something might be wrong.
without @lhci/cli installed:
