search

TooTallNate / node-pac-proxy-agent

A PAC file proxy `http.Agent` implementation for HTTP and HTTPS
59 stars 57 forks source link

Security: Bump pac-resolver from ^4.1.0 to ^4.1.1 #38

Closed MaggieFero closed 3 years ago

MaggieFero commented 3 years ago

Bump pac-resolver from ^4.1.0 to ^4.1.1

Tag 4.1.1 includes a single security fix to increment the version of Netmask due to NPM advisory 1658 for CVE-2021-28918

TooTallNate commented 3 years ago

Thanks for the PR, but this isn't necessary. Please see my response to a similar PR.

MaggieFero commented 3 years ago

@TooTallNate Unfortunately, because it's an indirect dependency, as an upstream user on yarn, I don't get the latest version of pac-resolver even after yarn upgrade, yarn reset, or similar because the version criteria are being met all the way up the tree by the existing versions. I even deleted yarn lock and it still gave me the old netmask version, sadly.

TooTallNate commented 3 years ago

Then there must be some other dependency that's restricting the pac-resolver version from being updated.

You can see when I run yarn upgrade in a project that is using this module that the pac-resolver does indeed get upgraded allowing the fixed netmask module to be installed:

diff --git a/yarn.lock b/yarn.lock
index 4542668..89ffee3 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -210,10 +210,10 @@ ms@2.1.2:
   resolved "https://registry.yarnpkg.com/ms/-/ms-2.1.2.tgz#d09d1f357b443f493382a8eb3ccd183872ae6009"
   integrity sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==

-netmask@^1.0.6:
-  version "1.0.6"
-  resolved "https://registry.yarnpkg.com/netmask/-/netmask-1.0.6.tgz#20297e89d86f6f6400f250d9f4f6b4c1945fcd35"
-  integrity sha1-ICl+idhvb2QA8lDZ9Pa0wZRfzTU=
+netmask@^2.0.1:
+  version "2.0.2"
+  resolved "https://registry.yarnpkg.com/netmask/-/netmask-2.0.2.tgz#8b01a07644065d536383835823bc52004ebac5e7"
+  integrity sha512-dBpDMdxv9Irdq66304OLfEmQ9tbNRFnFTuZiLo+bD+r332bBmMJ8GBLXklIXXgxd3+v9+KUnZaUR5PJMa75Gsg==

 optionator@^0.8.1:
   version "0.8.3"
@@ -242,14 +242,14 @@ pac-proxy-agent@^4.1.0:
     raw-body "^2.2.0"
     socks-proxy-agent "5"

 pac-resolver@^4.1.0:
-  version "4.1.0"
-  resolved "https://registry.yarnpkg.com/pac-resolver/-/pac-resolver-4.1.0.tgz#4b12e7d096b255a3b84e53f6831f32e9c7e5fe95"
-  integrity sha512-d6lf2IrZJJ7ooVHr7BfwSjRO1yKSJMaiiWYSHcrxSIUtZrCa4KKGwcztdkZ/E9LFleJfjoi1yl+XLR7AX24nbQ==
+  version "4.2.0"
+  resolved "https://registry.yarnpkg.com/pac-resolver/-/pac-resolver-4.2.0.tgz#b82bcb9992d48166920bc83c7542abb454bd9bdd"
+  integrity sha512-rPACZdUyuxT5Io/gFKUeeZFfE5T7ve7cAkE5TUZRRfuKP0u5Hocwe48X7ZEm6mYB+bTB0Qf+xlVlA/RM/i6RCQ==
   dependencies:
     degenerator "^2.2.0"
     ip "^1.1.5"
-    netmask "^1.0.6"
+    netmask "^2.0.1"

 prelude-ls@~1.1.2:
   version "1.1.2"