Security Vulnerability, openSSL Unit-Testing by Segmentational · Pull Request #1925 · nodegit/nodegit
Hello! I know I'm new here, but the following change(s) are quite non-invasive and I thought I'd contribute back :D.
Overview
got had a moderate security issue that was thrown. The following PR aims to fix that.
Additionally, I've provided solutions to other larger open source npm packages relating to the minimist issues (a dependency of the very popular mocha package), but as this is my first time around nodegit, I thought it best to first see how willing the maintainers are to accept my PR (while limited, it seems some either copy and replicate my changes, or haven't bothered to look into the proposals).
Discussion
It seems that got, a dependency, is getting used only in the util directory.
Further, specific usage of the module where got is initialized is limited to acquireOpenSSL.js.
I thought to also create some unit testing as I saw that was a point of needed contributions.
Further diving down into the rabbit hole, I found that the binding for node-gyp auto-generates with darwin specified
to 10.11 as the minimum version; because I'm unable to verify (10.15) on the lower versions, I set the test to it.skip.
However, I was unable to successfully compile openSSL v1.1.1l. I updated the reference (a magic constant in acquireOpenSSL.js) to v1.1.1p. Thereafter I was able to successfully build wooohoooooo.
I believe usage of these directives is still yet limited to electron applications; but I'm not 100% certain on this one.
Note that while my personal testing included changing the v1.1.1l version to v1.1.1p, I did set it back.