Security warning: Dependabot alert: Got allows a redirect to a UNIX socket

[techterbium]

Describe the bug Security warning by dependabot alert: The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.

To Reproduce happens on version 3.12.0

Expected behavior A clear and concise description of what you expected to happen.

Logs If applicable, add logs to help explain your problem.

** Operating system, Node.js an npm versions, or browser version (please complete the following information):**

• OS: [e.g. Ubuntu 18.04]
• Node.js: [e.g. 8.11.1]
• npm: [e.g. 5.6.0]
• Browser: [e.g. Chrome 73.0.3683]

Additional context Add any other context about the problem here.

[javierbrea]

Hi @techterbium , The "got" package is not a direct dependency of this project. So, you'll have to fix the security alert by pinning the dependency in your own package-lock.json file in your repository.

[FinnWoelm]

Hi @javierbrea,

first of all: Thanks for this great work!

Just wanted to jump in here and note that the security warning still exists on fresh install of mocks-server/main.

It appears that update-notifier (up to v5.1.0) depends on vulnerable version of the got package. And mocks-server/core depends on v5.1.0 of update-notifier.

https://github.com/mocks-server/main/blob/bf9dd81d142e796efe90f523aec8b271f0a645e3/packages/core/package.json#L60

There is a v6 of update-notifier: https://github.com/yeoman/update-notifier/releases/tag/v6.0.0

We'd need to figure out if/how an upgrade to v6 affects mocks-server/core.

Otherwise, there is an alternative v5 version that has no breaking changes and fixes the vulnerability. See here: https://github.com/yeoman/update-notifier/issues/218#issuecomment-1240204177 Perhaps switching to update-notifier-cjs is an option?