Request to upgrade transitive dependency `http-cache-semantics` in `react-map-gl-geocoder`

[NaomiCher]

I am using the react-map-gl-geocoder package in version 2.2.0 and I have discovered that there is a vulnerability (CVE-2022-25881) in one of the transitive dependencies of the package, http-cache-semantics, which has been documented at the following URL: https://nvd.nist.gov/vuln/detail/CVE-2022-25881.

In light of this, I kindly request that you consider upgrading the http-cache-semantics dependency to a version that addresses the vulnerability in a future release of the react-map-gl-geocoder package. Upgrading dependencies is crucial for ensuring the security of my application, and I would greatly appreciate your efforts in this regard.

[kiloz]

Should we create a branch and pull request?

Dependabot cannot update http-cache-semantics to a non-vulnerable version

The latest possible version that can be installed is 3.8.1 because of the following conflicting dependency:

react-map-gl-geocoder@2.2.0 requires http-cache-semantics@3.8.1 via a transitive dependency on cacheable-request@2.1.4

The earliest fixed version is 4.1.1.

Package: http-cache-semantics (npm)
Affected versions < 4.1.1
Patched version 4.1.1

http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.