You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I use @electron/get as a dependency, and I started failing audits for this issue: GHSA-8x6c-cv3v-vp6g
@electron/get v2.02 uses got v11.8.5, which uses cacheable-request v7.0.2. Any version of cacheable-request below 10.2.7 is vulnerable to the above advisory. The latest version of got, v12.5.3, references a safe version of cacheable-request, so updating the got dependency should also address this advisory.
I tried using yarn resolutions to force cacheable-request to v10.2.7, and I got the following error messages:
Error [ERR_REQUIRE_ESM]: require() of ES Module /.../node_modules/got/dist/source/index.js from .../node_modules/@electron/get/dist/cjs/GotDownloader.js not supported.
Instead change the require of index.js in .../node_modules/@electron/get/dist/cjs/GotDownloader.js to a dynamic import() which is available in all CommonJS modules.
at Object.<anonymous> (...r/node_modules/@electron/get/dist/cjs/GotDownloader.js:15:15)
at .../node_modules/@electron/get/dist/cjs/downloader-resolver.js:8:66
at async Object.getDownloaderForSystem (.../node_modules/@electron/get/dist/cjs/downloader-resolver.js:8:[31](https://github.com/Finsemble/finsemble-mono/actions/runs/4165032919/jobs/7207472417#step:8:32))
at async .../node_modules/@electron/get/dist/cjs/index.js:67:59
at async useAndRemoveDirectory (.../node_modules/@electron/get/dist/cjs/utils.js:10:18)
Request
Can this package update to a non-vulnerable version of got or cacheable-request?
The text was updated successfully, but these errors were encountered:
cacheable-request depends on http-cache-semantics, which contains an Inefficient Regular Expression Complexity in versions prior to 4.1.1 of that package.
The underlying issue is stemming from cacheable-request<4.1.1, but it cacheable-request@7.0.2 seems to only specify http-cache-semantics^4.0.0. You could probably upgrade http-cache-semantics in your lockfile without upgrading cacheable-request to receive the DoS fix, assuming that package follows semver closely.
I use @electron/get as a dependency, and I started failing audits for this issue:
GHSA-8x6c-cv3v-vp6g
@electron/get
v2.02 usesgot
v11.8.5, which usescacheable-request
v7.0.2. Any version ofcacheable-request
below 10.2.7 is vulnerable to the above advisory. The latest version ofgot
, v12.5.3, references a safe version ofcacheable-request
, so updating thegot
dependency should also address this advisory.I tried using yarn resolutions to force
cacheable-request
to v10.2.7, and I got the following error messages:Request
Can this package update to a non-vulnerable version of
got
orcacheable-request
?The text was updated successfully, but these errors were encountered: