node-jq
node-jq copied to clipboard
sanack
Socket redirect vulnerability in "got" dependency
Description
Dependabot and npm audit identify a vulnerability in "got" dependency (fixed in >= 11.8.5): https://github.com/advisories/GHSA-pfrx-2q88-qq97.
Test Source
git clone https://github.com/sanack/node-jq.git
cd node-jq
npm install
Error Message & Stack Trace
# npm audit report
```bash
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/bin-build/node_modules/got
node_modules/got
download >=4.0.0
Depends on vulnerable versions of got
node_modules/bin-build/node_modules/download
node_modules/download
bin-build >=2.1.2
Depends on vulnerable versions of download
node_modules/bin-build
Environment
nodejs version:
node -e "var os=require('os');console.log('Node.js ' + process.version + '\n' + os.platform() + ' ' + os.release())"
Node.js v18.0.0
darwin 21.5.0
npm version:
npm --version
8.6.0
node-jq version:
cat node_modules/node-jq/package.json | grep "version"
"version": "2.3.3",
Hey @donaldoakes
Extremely unlinkely that the got dependency reaches to prod, since this code it doesn't run on the execution of node-jq. It's used to download the binary on install.
Nevertheless, I will try to fix it, Thanks!
:tada: This issue has been resolved in version 2.3.5 :tada:
The release is available on:
Your semantic-release bot :package::rocket:
The dependency is still being dragged in by bin-build 3.0.0. The issue is reported in its repo (https://github.com/kevva/bin-build/issues/16) To fully fix this issue, I think you'll need to bump bin-build when they get it resolved.
