transitive dependency has the vulnerability

[Smanst3r]

I’ve updated juice to the latest version (11.0.1), but npm audit still reports a vulnerability in undici:

npm audit
---
undici  6.0.0 - 6.21.1
Severity: moderate
Use of Insufficiently Random Values in undici - https://github.com/advisories/GHSA-c76h-2ccp-4975
undici Denial of Service attack via bad certificate data - https://github.com/advisories/GHSA-cxrh-j4jr-qwg3
fix available via `npm audit fix`
node_modules/undici

npm ls undici                                                                                                                                                   ✔  at 18:34:36
<project>
└─┬ juice@11.0.1
  └─┬ cheerio@1.0.0
    └── undici@6.21.0

It seems that cheerio is still using a version of undici with known vulnerabilities. Idk if I should open an issue for it here

[cossssmin]

We will fix this and update cheerio which now uses undici@7.x, but it will mean we release a major version, because undici now uses APIs that are not available in Node 18, which currently Juice still supports.

[Smanst3r]

Thank you for feedback