Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Dependabot alerts: Got allows a redirect to a UNIX socket

See original GitHub issue

This warning appears in my projects:

Dependabot alerts: Got allows a redirect to a UNIX socket

The latest possible version that can be installed is 9.6.0 because of the following conflicting dependencies:

electron@19.0.6 requires got@^9.6.0 via @electron/get@1.14.1
electron-builder@23.1.0 requires got@^9.6.0 via a transitive dependency on package-json@6.5.0
nodemon@2.0.18 requires got@^9.6.0 via a transitive dependency on package-json@6.5.0

Is there anything that can be done?

Issue Analytics

State:
Created a year ago
Reactions:10
Comments:5 (1 by maintainers)

Top GitHub Comments

24reactions

kayahrcommented, Jul 31, 2022

It would be nice to get this fixed by applying the already existing PR. I use Electron in a lot of my projects and it is a bit annoying to get audit warnings from NPM and from Github’s dependabot all the time because of this got issue.

In my opinion it is not a good practice to rely on old dependencies which seems to be no longer supported upstream. If you have strong reasons to stay at version 9 then maybe ask the author of got to publish a new patched version 9 to get this issue out of the way?

1reaction

kayahrcommented, Nov 14, 2022

Looks like this problem is already fixed since @electron/get v2 which is used in electron v22. Problem is, electron 22 is not yet released (but installable with npm i electron@beta). So we just have to wait. There is nothing else to do.

And I guess this ticket can be closed.