Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

http-cache-semantics vulnerability from got #1755

Open
yuvitaljanetr opened this issue May 2, 2024 · 3 comments
Open

http-cache-semantics vulnerability from got #1755

yuvitaljanetr opened this issue May 2, 2024 · 3 comments
Labels
dependencies Pull requests that update a dependency file

Comments

@yuvitaljanetr
Copy link

yuvitaljanetr commented May 2, 2024

Snyk raised a vulnerability in:
[email protected][email protected][email protected]

Are there plans to update to got version 12.6.0?

┆Issue is synchronized with this Jira Task by Unito

@sacOO7 sacOO7 added the dependencies Pull requests that update a dependency file label May 2, 2024
@VeskeR
Copy link
Contributor

VeskeR commented May 3, 2024

Hi @yuvitaljanetr !

Thank you for reporting this vulnerability. After a quick look at the got v12 breaking changes, it seems that the only part that might cause issues is that, starting from v12, got is now pure ESM, which might cause some edge-case issues as we're providing a CJS module for Node.js.

I'm currently looking into this and will get back to you with an update as soon as possible.

@VeskeR
Copy link
Contributor

VeskeR commented May 3, 2024

Hey @yuvitaljanetr !

It looks like your lock file (package-lock.json or yarn.lock) holds an older version of the http-cache-semantics package, which has this vulnerability. Since the ably-js Node.js bundle doesn't come pre-bundled with any specific got version or its dependencies, and instead uses the version compatible with got@11 which is installed based on your package.json, ably-js ends up transitively using the [email protected] version in your project.

To fix this, you can try deleting your lock file and reinstalling all packages. This should update the dependency tree with the latest compatible versions for all libraries, including setting the http-cache-semantics package to its latest 4.1.1 version.

Alternatively, you can use the package.json's overrides property to override the version to use for http-cache-semantics:

{
  "overrides": {
    "got": {
      "http-cache-semantics": "4.1.1"
    }
  }
}

After that, run npm install (or yarn install). This should update your lock file to have [email protected]. You can then remove this overrides property from your package.json.

@VeskeR
Copy link
Contributor

VeskeR commented May 22, 2024

Hello @yuvitaljanetr !

I hope you're doing well. Were you able to resolve your issue with http-cache-semantics version vulnerability?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Development

No branches or pull requests

3 participants