@wraithgar @nlf Your reviews, please.

The engines declaration for this version of make-fetch-happen is incompatible with the current one of node-gyp. This PR is blocked by #2770

This is causing 1 high severity vulnerability from http-cache-semantics within make-fetch-happen.

Do we have an eta on this?

http-cache-semantics 4.1.0 is high vulnerability issue. need to update make-fetch-happen to 11.0.3
Details: https://www.cve.org/CVERecord?id=CVE-2022-25881
When can we expect the update on this or any ETA?

When you want a pull request to be merged, please give it a positive review as @fengmk2 has done at the top right of this page. Every checkmark ✔️ that project maintainers see there gives them confidence that the proposed changes have been looked at and have been deemed both useful and safe to merge into the codebase. Lots of "what is the ETA?" comments are easier for maintainers to ignore than ✔️✔️✔️✔️✔️ from several different reviewers.

Anyone can review a pull request on GitHub. To do so here:

1. Scroll to the top of this page.
2. Click the Files changed tab.
3. Click the Review changes button.
4. Click Approve (or one of the other options) and make comments only if they have not already been stated in the PR.
5. Click Submit review so that your ✔️ can be added to the list.

Also, the comment above that this PR is blocked by #2770 means that interested parties should review that one as well.

If I understand @wraithgar's comment correctly, the dependency is only on the engines upgrade, and not on the whole of #2770. Since the length of #2770 was cited as a blocker for review, I've broken out the one-line "engines" commit into a separate PR for convenience (#2827), and would appreciate your reviews!

@cclauss 100%, however the original PR blocker is just going to become stale at this point, it's now 4 months old :(

@cclauss Tests are now breaking on main on node 14~18: https://github.com/nodejs/node-gyp/actions/runs/4811204563/jobs/8564880967

Not sure why #2827 was closed (make-fetch-happen@11 and the new transitive cacache, minipass-fetch, and ssri^10 do end support for node 12)?

#2770 still looks relevant and is now rebased and updated by author.

FWIW this change (updating make-fetch-happen) is/was breaking - package managers like yarn will refuse to install if on node 12.

Just opened npm/make-fetch-happen#243. Seems like it would make the situation more straight-forward on this side (assuming a node-gyp@9.x release with a yet-to-be-released make-fetch-happen@10.x is feasible)

Not sure why #2827 was closed

I closed #2827 because this PR had already been merged. Happy to re-open, but it seems we can accomplish the same through #2770 directly.