Security leak on package got
Description
The package np reports a security leak. See section below for more details.
Steps to reproduce
- Create a node project (
mkdir ~/node_test && cd ~/node_test && npm init -y); - Install package
npwith the command runnpm i --save-dev np; - Run command
npm audit
Output:
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/got
node_modules/package-json/node_modules/got
npm-name <=6.0.1
Depends on vulnerable versions of got
node_modules/npm-name
np >=2.2.0
Depends on vulnerable versions of npm-name
Depends on vulnerable versions of update-notifier
node_modules/np
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
Expected behavior
Nothing but a security leak.
Environment
np - 7.6.3
Node.js - 19.6.0
npm - 9.5.0
Git - 2.25.1
OS - Linux Ubuntu 20.04
sindresorhus / np
A better `npm publish`
7.6k
How does funding with Polar work?
1
Pay now to fund the work behind this issue.
2
Get updates on progress being made.
3
Maintainer is rewarded once the issue is completed.
FAQ
Backer
You're funding impactful open source efforts
Contributor
You want to contribute to this effort
Maintainer
You want to get funding like this too