vulnerability in netmask (CVE-2021-28918)

[kachkaev]

I have a project that depends on [email protected], which seems to be the latest version.

When running yarn audit, this error shows up since a few days ago:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ netmask npm package vulnerable to octal input data           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ netmask                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ qiniu                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ qiniu > urllib > proxy-agent > pac-proxy-agent >             │
│               │ pac-resolver > netmask                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1658                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 901

https://www.npmjs.com/advisories/1658

It’d be great to see a new version of qiniu that depends on netmask@^2.0.1. Thank you!