Closed EnzooKms closed 4 months ago
Run npm upgrade
in your project. It'll pick up socks@2.7.3
.
Hello @TooTallNate, the vulnerable ip package is being pulled by the default npm installation. I tried building a docker image with node 20 and ip package is present in the image. Let me know if I'm doing anything wrong.
Here's my Dockerfile,
FROM node:20
COPY ./app.js ./
CMD ["node", "./app.js"]
You're not doing anything wrong. The Docker image contains what was released in the version of Node.js / npm which that image contains, which was published before the fix here was. You'll need to wait for a new version of the Docker image to be published.
Makes sense, thanks.
Run
npm upgrade
in your project. It'll pick upsocks@2.7.3
.
I upgraded to the latest npm, ran npm upgrade
and i still get:
npm ls ip
...
└─┬ npm@10.4.0
└─┬ make-fetch-happen@13.0.0
└─┬ @npmcli/agent@2.2.0
└─┬ socks-proxy-agent@8.0.2
└─┬ socks@2.7.1
└── ip@2.0.0
Wouldn`t it be better to just bump your dependency to socks "^2.7.3"?
Run
npm upgrade
in your project. It'll pick upsocks@2.7.3
.I upgraded to the latest npm, ran
npm upgrade
and i still get:npm ls ip ... └─┬ npm@10.4.0 └─┬ make-fetch-happen@13.0.0 └─┬ @npmcli/agent@2.2.0 └─┬ socks-proxy-agent@8.0.2 └─┬ socks@2.7.1 └── ip@2.0.0
Wouldn`t it be better to just bump your dependency to socks "^2.7.3"?
Use npm audit to fix that
Use npm audit to fix that
That dosn`t work as well. You can try it for yourself, make a new node project and install the latest npm as a dependency.
Use npm audit to fix that
That dosn`t work as well. You can try it for yourself, make a new node project and install the latest npm as a dependency.
npm audit
npm audit fix
Dosn't work ?
I don't know how to resolve then
That issue is specific to the npm
package itself, since it's bundling the dependencies using the bundleDependencies
key in the package.json file. So the versions of dependencies that get installed are locked to what was available when that version of npm was published. Unfortunately there's not going to be anything I can do I my end to fix that.
That issue is specific to the
npm
package itself, since it's bundling the dependencies using thebundleDependencies
key in the package.json file. So the versions of dependencies that get installed are locked to what was available when that version of npm was published. Unfortunately there's not going to be anything I can do I my end to fix that.
Ahh, thanks for clarifying! I'll look in the Npm Issue Tracker then. EDIT: This seems to be the one https://github.com/npm/cli/issues/7223
Is there a reason you're concerned specifically with the deps that npm installs? It shouldn't be a dependency directly of your project except for rare circumstances.
Is there a reason you're concerned specifically with the deps that npm installs? It shouldn't be a dependency directly of your project except for rare circumstances.
Were using the https://github.com/semantic-release/npm plugin to create a private npm package in our CI/CD pipeline. This depends on npm and has over a million weekly downloads. So i would say its not that rare ;).
FWIW, we're concerned with the deps that npm
installs because the security vulnerability scanners flag them, and regulatory compliance requires that we mitigate them; I suspect we're not alone in this situation.
Same situation here, any news on this topic?
Same situation here, any news on this topic?
U try npm audit ?
I've already said that a new npm release needs to be made. I'm going to lock this thread.
socks-proxy-agent
This package uses socks version 2.7.1, which has a dependency vulnerability.
Use the new socks patch as https://www.npmjs.com/package/socks/v/2.7.3
resources :