Closed brickfungus closed 4 months ago
@TooTallNate please help with fixing this high severity issue 🙏 It seems like node-ip repo is dead, maybe worth ditching it and use some alternative
The ip package is also used by the socks package, which is imported by socks-proxy-agent. It seems like the socks repo might also be dead. Maybe it is worth ditching this one as well?
Socks seems to use version 2.0.0 of the ip package, which does not appear in the vulnerability report. However, I worry that, since that version does not seem to have been truly released, it is still vulnerable but was not included in the vulnerability report.
Installing socks
by itself returns no vulnerabilities via pnpm audit
. Installing proxy-agent
shows one vulnerability for the ip package, and it is the v1.1.8 required by pac-resolver: . > proxy-agent@6.3.1 > pac-proxy-agent@7.0.1 > pac-resolver@7.0.0 > ip@1.1.8
But pnpm why ip
returns the following:
dependencies:
proxy-agent 6.3.1
├─┬ pac-proxy-agent 7.0.1
│ ├─┬ pac-resolver 7.0.0
│ │ └── ip 1.1.8
│ └─┬ socks-proxy-agent 8.0.2
│ └─┬ socks 2.7.1
│ └── ip 2.0.0
└─┬ socks-proxy-agent 8.0.2
└─┬ socks 2.7.1
└── ip 2.0.0
So tl;dr: Version 1.1.8 of ip is definitely vulnerable, and i'm not sure whether 2.0.0 is vulnerable, but either way it might be a good idea to transition away from dead packages and packages that require dead packages.
I added my 2c under the PR.
If socks
package won't remove ip
dependency upstream, then 2.0.0
will still be used by this repo. Then what's the point of removing ip
here.
Version 1.1.8 of ip is definitely vulnerable, and i'm not sure whether 2.0.0 is vulnerable
In the end it does not matter if this package is vulnerable if in this repo you don't use any of the vulnerable functions (which you don't). This makes bumping to 2.0.0
feasible option to get rid of advisory audit info. At least until new advisory report comes out stating 2.0.0
is also affected.
and i'm not sure whether 2.0.0 is vulnerable
I checked the report and I reproduced the vulnerability on 2.0.0
so this version is also affected. It just doesn't affect this package, because vulnerable functions are not used.
I made a ticket in the socks
package just for good measure.
I'll remove it from socks later today and publish a new version.
Published - https://www.npmjs.com/package/socks/v/2.7.3 - Drops ip
package as dependency.
Apologies if I'm missing something obvious, but pac-resolver
is still using ip
1.1.8. (Edit - I see. The socks
package is a different maintainer, but also used under the proxy-agents
repo).
https://github.com/advisories/GHSA-78xj-cgh5-2h22
Vulnerability for ip package in
pac-resolver
. Can that get updated and propagated up through the packages that use it?