http-cache-semantics vulnerability from got

[yuvitaljanetr]

Snyk raised a vulnerability in:
got@11.8.5 › cacheable-request@7.0.2 › http-cache-semantics@4.1.0

Are there plans to update to got version 12.6.0?

┆Issue is synchronized with this Jira Task by Unito

[VeskeR]

Hi @yuvitaljanetr !

Thank you for reporting this vulnerability. After a quick look at the got v12 breaking changes, it seems that the only part that might cause issues is that, starting from v12, got is now pure ESM, which might cause some edge-case issues as we're providing a CJS module for Node.js.

I'm currently looking into this and will get back to you with an update as soon as possible.

[VeskeR]

Hey @yuvitaljanetr !

It looks like your lock file (package-lock.json or yarn.lock) holds an older version of the http-cache-semantics package, which has this vulnerability. Since the ably-js Node.js bundle doesn't come pre-bundled with any specific got version or its dependencies, and instead uses the version compatible with got@11 which is installed based on your package.json, ably-js ends up transitively using the http-cache-semantics@4.1.0 version in your project.

To fix this, you can try deleting your lock file and reinstalling all packages. This should update the dependency tree with the latest compatible versions for all libraries, including setting the http-cache-semantics package to its latest 4.1.1 version.

Alternatively, you can use the package.json's overrides property to override the version to use for http-cache-semantics:

{
  "overrides": {
    "got": {
      "http-cache-semantics": "4.1.1"
    }
  }
}

After that, run npm install (or yarn install). This should update your lock file to have http-cache-semantics@4.1.1. You can then remove this overrides property from your package.json.

[VeskeR]

Hello @yuvitaljanetr !

I hope you're doing well. Were you able to resolve your issue with http-cache-semantics version vulnerability?