npm 8.19.3: security issue in the http-cache-semantics

[mihob]

There is a security issue in the http-cache-semantics package used by the make-fetch-happen package.

The current version of make-fetch-happen uses a version of http-cache-semantics in which the problem is fixed.

Would it be possible to update the dependencies accordingly?

[Morl99]

That should be fixed with v9.4.2

[mihob]

It may be fixed for 9.x, but not for 8.x

[ljharb]

@mihob 8.x is EOL and won't likely ever be fixed. only npm 6 and npm 9 are still getting updates afaik.

[denholtz]

This is just waiting on a merge.
https://github.com/npm/cli/pull/6148/files

[Morl99]

Is there a specific reason to not update to npm 9?

[wraithgar]

regardless of how this gets backported to npm 8, npm 8 itself is not vulnerable. This is only causing an npm audit warning because the module itself has a vulnerability at that version. The vulnerability is when http-cache-semantics is used to parse requests, which the npm cli does not do.

[okuryu]

It looks like v8.19.4 has http-cache-semantics update.
https://github.com/npm/cli/releases/tag/v8.19.4