Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. ItΒ collects links to all the places you might be looking at while hunting down a tough bug.
And, if youβre still stuck at the end, weβre happy to hop on a call to see how we can help out.
Update `package-json` to >=8.0.0 for vulnerability in `got` >= 12.0.0, < 12.1.0, < 11.8.5
See original GitHub issueEnvironment
nodemon -v: 2.0.15node -v: v14.18.1- Operating system/terminal environment: macOS 12.5
Issue
nodemon@2.0.15 requires got@^9.6.0 via a transitive dependency on package-json@6.5.0
- Vulnerabilty: The got package before 12.1.0 for Node.js allows a redirect to a UNIX socket.
- Affected Versions: >= 12.0.0, < 12.1.0, < 11.8.5
- Patched versions: 12.1.0, 11.8.5
- References
- https://github.com/advisories/GHSA-pfrx-2q88-qq97/
- https://nvd.nist.gov/vuln/detail/CVE-2022-33987
- https://github.com/sindresorhus/got/pull/2047
- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0
- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc
- https://github.com/sindresorhus/got/releases/tag/v11.8.5
- https://github.com/sindresorhus/got/releases/tag/v12.1.0
Possible fix
- Upgrade dependency version of
package-jsonto >=8.0.0 as it points to fixed dependency forgot>12.1.0
Issue Analytics
- State:
- Created a year ago
- Reactions:2
- Comments:10 (7 by maintainers)
Top Results From Across the Web
Fixing security vulnerabilities in npm dependencies in less ...
This is the first thing you should do and it's the simplest one too. Run npm update β https://docs.npmjs.com/cli-commands/update.html; Delete your package-lock.
Read more >Got allows a redirect to a UNIX socket - Stack Overflow
I already tried npm audit fix --force but it gives me more vulnerabilities due to the older version of react-scripts. My question is...
Read more >Denial Of Service (DoS) Vulnerability in the node library (+1 ...
A direct dependency is a library that is specified in your project's package.json. A vulnerability in a direct dependency can be fixed by...
Read more >permissions - CVE - Search Results
An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be...
Read more >CHANGELOG.md Β· master Β· GitLab.org / omnibus-gitlab
No changes. 15.4.4 (2022-11-02). Security (2 changes). Upgrade pcre2 to 10.40 (merge request)Β ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
I am not sure this was resolved. When I install the latest nodemon, and then run an audit, I get the following resultsβ¦
Perhaps I did not update nodemon correctly?
Thanks!
By reading issue https://github.com/remy/nodemon/issues/2031 we can see that due to issues with update-notifier the project owner plans to drop this dependency entirely in the next release. So, hopefully, this will get fixed in the next release. Until then, I recommend using v2.0.17 if it doesnβt break your install, and otherwise use v2.0.18 or v2.0.16.