Dependency on vulnerable version of got
kdmcguire opened this issue · comments
Versions
- What is this plugin's version?
2.2.0
- What is Cypress version?
6.9.1
- What Netlify build image are you using? This setting is available under "Deploy settings / Build image selection". Probably either "Ubuntu Trusty 14.04" or "Ubuntu Xenial 16.04"
Ubuntu Focal 20.04 (default)
- What is the Node version if you know it?
16.19.0
- What is the NPM version if you know it?
8.19.3
Describe the bug
A clear and concise description of what the bug is.
GitHub's Dependabot reports that netlify-plugin-cypress@2.2.0 depends on a vulnerable version of got, 10.7.0. The patched version is got@11.8.5.
"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket."
Logs and screenshots
If possible, add the log from the terminal. You can turn on debugging logging, see Debugging section of the README file.
Link to the repo
Bugs with a reproducible example, like an open source repo showing the bug, are the most likely to be resolved.
netlify-plugin-cypress/package.json
Line 27 in 6ab1237