download icon indicating copy to clipboard operation
download copied to clipboard

Published 20 hours ago verified publisher icon kevva

Npm audit failure via older version of got

Open wbt opened this issue 2 years ago • 5 comments

npm audit is failing in packages that use this, reporting:

got <11.8.5 Severity: moderate Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97

The got package is currently specified here at version 8. That would have to be updated to at least 11.8.5 to resolve the audit failure.

wbt avatar Jun 22 '22 18:06 wbt

@sindresorhus If I'm not mistaken, you merged the Bugfix in got in https://github.com/sindresorhus/got/pull/2047 which is awesome. download is a quite often used library (~3 million installs a week) that still relies on the older version of got. Since you EDIT: ~do~ might have write access to https://github.com/kevva/download could you upgrade got in download as well? That would be really great!

apepper avatar Jun 30 '22 10:06 apepper

Since you do have write access to https://github.com/kevva/download could you upgrade got in download as well? That would be really great!

It would be great indeed. :)

However, sindresorhus does not have write access to this repository anymore, according to a comment he made on another issue. So he cannot upgrade got in download.

striezel avatar Jul 05 '22 15:07 striezel

So this will not get fixed?

What is a good alternative for this package?

bbird5490 avatar Jul 25 '22 18:07 bbird5490

@wbt Hi Buddy, Temporary solution for ur problem is Go to ur package-lock.json file ("node_modules/download") and update ur ("got" module) version manually to 11.8.5 or 11.8.3 then Install NPM again. Same i did like as below code. It temporary fixed my problem

"node_modules/download": { "version": "8.0.0", "resolved": "https://registry.npmjs.org/download/-/download-8.0.0.tgz", "integrity": "sha512-ASRY5QhDk7FK+XrQtQyvhpDKanLluEEQtWl/J7Lxuf/b+i8RYh997QeXvL85xitrmRKVlx9c7eTrcRdq2GS4eA==", "dependencies": { "archive-type": "^4.0.0", "content-disposition": "^0.5.2", "decompress": "^4.2.1", "ext-name": "^5.0.0", "file-type": "^11.1.0", "filenamify": "^3.0.0", "get-stream": "^4.1.0", "got": "^11.8.3", "make-dir": "^2.1.0", "p-event": "^2.1.0", "pify": "^4.0.1" }, "engines": { "node": ">=10" } },

mohit8285 avatar Feb 24 '23 17:02 mohit8285

So this will not get fixed?

It doesn't look like it will get fixed. As things are now, this package has basicially been unmaintained for almost three years. :(

What is a good alternative for this package?

I saw other projects where this package was replaced by node-downloader-helper, but I do not know how good that alternative is.

striezel avatar Feb 24 '23 21:02 striezel