Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependabot alerts: Got allows a redirect to a UNIX socket #224

Closed
el3um4s opened this issue Jun 26, 2022 · 5 comments
Closed

Dependabot alerts: Got allows a redirect to a UNIX socket #224

el3um4s opened this issue Jun 26, 2022 · 5 comments

Comments

@el3um4s
Copy link

el3um4s commented Jun 26, 2022

This warning appears in my projects:

Dependabot alerts: Got allows a redirect to a UNIX socket

The latest possible version that can be installed is 9.6.0 because of the following conflicting dependencies:

electron@19.0.6 requires got@^9.6.0 via @electron/get@1.14.1
electron-builder@23.1.0 requires got@^9.6.0 via a transitive dependency on package-json@6.5.0
nodemon@2.0.18 requires got@^9.6.0 via a transitive dependency on package-json@6.5.0

Is there anything that can be done?

@shellatomic
Copy link

Could anyone help me to fix this issue:
Open Redirect [Medium Severity][https://snyk.io/vuln/SNYK-JS-GOT-2932019] in got@9.6.0
introduced by @electron/get@1.14.1 > got@9.6.0 and 1 other path(s) This issue was fixed in versions: 11.8.5, 12.1.

@malept
Copy link
Member

malept commented Jul 7, 2022

In my opinion this is not a high priority for @electron/get. In order to trigger this, it needs to either hijack the user's DNS or their environment variables. If either of those conditions happen, you have larger problems and the attacker might as well do other, less convoluted attacks.

That being said, it will eventually get fixed. However, due to the major version bump of got (which increases the minimum Node.js version), this will not affect any currently released version of the electron npm module, as changing the minimum Node.js version (even transitively) is considered a major breaking change.

@kayahr
Copy link

kayahr commented Jul 31, 2022

It would be nice to get this fixed by applying the already existing PR. I use Electron in a lot of my projects and it is a bit annoying to get audit warnings from NPM and from Github's dependabot all the time because of this got issue.

In my opinion it is not a good practice to rely on old dependencies which seems to be no longer supported upstream. If you have strong reasons to stay at version 9 then maybe ask the author of got to publish a new patched version 9 to get this issue out of the way?

@loukamb
Copy link

loukamb commented Nov 14, 2022

This is an incredibly annoying problem. The warning alone is an annoyance, but it becomes more annoying when your project's release was needlessly delayed because senior developers from the other team thought npm's warnings in the CI/CD logs implied your codebase was vulnerable. I don't know if the above PR fixed this issue but even on the latest versions of electron and electron-builder the warning is still present.

@kayahr
Copy link

kayahr commented Nov 14, 2022

Looks like this problem is already fixed since @electron/get v2 which is used in electron v22. Problem is, electron 22 is not yet released (but installable with npm i electron@beta). So we just have to wait. There is nothing else to do.

And I guess this ticket can be closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants