Security vulnerability in [email protected]

[lorand-horvath]

Describe the bug

• Node.js version: 12.22.12
• OS & version: Win 7 x64

Actual behavior

Security vulnerability reported in [email protected]
https://nvd.nist.gov/vuln/detail/CVE-2022-33987
GHSA-pfrx-2q88-qq97

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  >=0.2.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier
        nodemon  >=1.3.5
        Depends on vulnerable versions of update-notifier
        node_modules/nodemon

5 moderate severity vulnerabilities

...

Expected behavior

Please backport the fix 861ccd9 to got 9.x
...

Code to reproduce

...

Checklist

• I have read the documentation.
• I have tried my code with the latest version of Node.js and Got.

[szmarczak]

We don't support [email protected] anymore.

[lorand-horvath]

@szmarczak Thanks for replying. It looks like nodemon will go with a different implementation remy/nodemon#2033

[szmarczak]

Sorry, I don't follow. What has nodemon to do with Got? What implementation? Your issue is a request not a bug report.

[Trim]

Sorry, I don't follow. What has nodemon to do with Got? What implementation? Your issue is a request not a bug report.

FYI, nodemon is depending on got through this dependency chain (as written in the npm audit report in this issue description):

nodemon@>=1.3.5 <- update-notifier@>=0.2.0 <- latest-version@(0.2.0 - 5.1.0) <- got@<=6.5.0

We have to check all the dependency chain to know which dependency should update its sub-dependencies.

So, for got, there's nothing to do as you say the version 6 is deprecated and the github advisory shows there's already patched version existing.

[lorand-horvath]

@szmarczak As @Trim said above, nodemon depends on [email protected] which further depends on the vulnerable [email protected].
The nodemon developer tried to bump [email protected] in remy/nodemon#2029 but run into issues due to the ESM-only nature of the newer packages. If update-notifier@6 would have had a CommonJS build available, the vulnerability would have been solved with the automatic bump in the transient dependency to got@12.
Since only got@11 received the backport to fix the vulnerability, I thought the entire issue of nodemon would be easily solved with a backport to got@9.

So it seems the only solution for nodemon is to drop update-notifier and implement another CJS solution. for example remy/nodemon#2033 or remy/nodemon#2035

[Axent96]

related to remy/nodemon#2040