Closed viktor-urbanas-qatalog closed 4 months ago
Latest commit: f1b42101177e0df8f7ee50c02e2cf2250c3f875a
The changes in this PR will be included in the next version bump.
Not sure what this means? Click here to learn what changesets are.
Click here if you're a maintainer who wants to add another changeset to this PR
The latest updates on your projects. Learn more about Vercel for Git ↗︎
Name | Status | Preview | Updated (UTC) |
---|---|---|---|
proxy-agents | ✅ Ready (Inspect) | Visit Preview | Feb 12, 2024 8:57am |
It's great to see this change. Should be ok since only affected functions are ip.isPrivate
and ip.isPublic
and this package is not relying on them at all.
But, the whole proxy-agent
will still depend on the ip
package through socks-proxy-agent
:
│ └─┬ socks-proxy-agent 8.0.2
│ └─┬ socks 2.7.1
│ └── ip 2.0.0
The alert states that all versions affected are <= 1.1.8
, and that there are no patched versions while the newest version is 2.0.0
.
This means technically 2.0.0
is still vulnerable, but it won't trigger the advisory audit issue.
Since we know this package does not use any of the affected functions (isPublic
or isPrivate
), we could just bump ip
package to 2.0.0
, to get rid of the warning instead of moving the code into this repo.
I've created https://github.com/github/advisory-database/pull/3504 updating the advisory to include v2, and Josh has said they'll get it removed from socks
.
This PR should be fine to land in parallel since it's a separate change, reduced the advisory count overall, and hopefully the socks
fix will be non-breaking meaning no further changes will be needed for these packages (people will just be able to npm update socks
).
socks
has released version 2.7.3 that removes the ip
dependency: https://github.com/JoshGlazebrook/socks/releases/tag/2.7.3
Thanks, Nate!
There is a
high
severity vulnerability in the https://github.com/indutny/node-ip packageUnfortunately this package was updated long time ago and seems to be dead
This PR aims to fix the aforementioned issue by getting rid of the
node-ip
dependency in favour of using copied parts of code which are used in this libFixes: https://github.com/TooTallNate/proxy-agents/issues/280