Security Vulnerability, openSSL Unit-Testing #1925
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello! I know I'm new here, but the following change(s) are quite non-invasive and I thought I'd contribute back
:D
.Overview
got
had amoderate
security issue that was thrown. The following PR aims to fix that.Additionally, I've provided solutions to other larger open source
npm
packages relating to theminimist
issues (a dependency of the very popularmocha
package), but as this is my first time aroundnodegit
, I thought it best to first see how willing the maintainers are to accept my PR (while limited, it seems some either copy and replicate my changes, or haven't bothered to look into the proposals).minimist
-related PR inexpress
dependencyDiscussion
It seems that
got
, adependency
, is getting used only in theutil
directory.Further, specific usage of the module where
got
is initialized is limited toacquireOpenSSL.js
.I thought to also create some unit testing as I saw that was a point of needed contributions.
Further diving down into the rabbit hole, I found that the binding for
node-gyp
auto-generates withdarwin
specifiedto
10.11
as the minimum version; because I'm unable to verify (10.15
) on the lower versions, I set the test toit.skip
.However, I was unable to successfully compile openSSL
v1.1.1l
. I updated the reference (a magic constant inacquireOpenSSL.js
) tov1.1.1p
. Thereafter I was able to successfully build wooohoooooo.I believe usage of these directives is still yet limited to
electron
applications; but I'm not 100% certain on this one.Note that while my personal testing included changing the
v1.1.1l
version tov1.1.1p
, I did set it back.