Security warning: Dependabot alert: Got allows a redirect to a UNIX socket

[techterbium]

Describe the bug
Security warning by dependabot alert: The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.

To Reproduce
happens on version 3.12.0

Expected behavior
A clear and concise description of what you expected to happen.

Logs
If applicable, add logs to help explain your problem.

** Operating system, Node.js an npm versions, or browser version (please complete the following information):**

• OS: [e.g. Ubuntu 18.04]
• Node.js: [e.g. 8.11.1]
• npm: [e.g. 5.6.0]
• Browser: [e.g. Chrome 73.0.3683]

Additional context
Add any other context about the problem here.

[javierbrea]

Hi @techterbium ,
The "got" package is not a direct dependency of this project. So, you'll have to fix the security alert by pinning the dependency in your own package-lock.json file in your repository.

[FinnWoelm]

Hi @javierbrea,

first of all: Thanks for this great work!

Just wanted to jump in here and note that the security warning still exists on fresh install of mocks-server/main.

It appears that update-notifier (up to v5.1.0) depends on vulnerable version of the got package. And mocks-server/core depends on v5.1.0 of update-notifier.

main/packages/core/package.json

Line 60 in bf9dd81

"update-notifier": "5.1.0",

There is a v6 of update-notifier: https://github.com/yeoman/update-notifier/releases/tag/v6.0.0

We'd need to figure out if/how an upgrade to v6 affects mocks-server/core.

Otherwise, there is an alternative v5 version that has no breaking changes and fixes the vulnerability. See here: sindresorhus/update-notifier#218 (comment) Perhaps switching to update-notifier-cjs is an option?