Closed ekohilas closed 4 months ago
Latest commit: 79c7ed4b033d0eb003eec738b1f307a6775f42b0
The changes in this PR will be included in the next version bump.
Not sure what this means? Click here to learn what changesets are.
Click here if you're a maintainer who wants to add another changeset to this PR
The latest updates on your projects. Learn more about Vercel for Git ↗︎
Name | Status | Preview | Updated (UTC) |
---|---|---|---|
proxy-agents | ❌ Failed (Inspect) | Feb 19, 2024 3:58am |
Thanks, but I've explained here about the npm case. Bumping here isn't going to fix anything, a new release needs to happen on npm's end to upgrade its bundled dependencies.
@TooTallNate it's released, but npm audit checks only deps versions used in package.json tree and if you merge it, it should not show vulnerability.
npm audit checks only deps versions used in package.json
That is incorrect. See below:
$ npm audit
found 0 vulnerabilities
$ npm ls -a
└─┬ socks-proxy-agent@8.0.2
├─┬ agent-base@7.1.0
│ └── debug@4.3.4 deduped
├─┬ debug@4.3.4
│ └── ms@2.1.2
└─┬ socks@2.7.3
├─┬ ip-address@9.0.5
│ ├── jsbn@1.1.0
│ └── sprintf-js@1.1.3
└── smart-buffer@4.2.0
Even with the current socks-proxy-agent
release, socks@2.7.3
is installed, which does not have the ip
dependency.
looks like I need to delete node_modules
and then results from npm audit
is better. Thanks
npm@10.4.0
has an indirect dependency onip
viasocks@2.7.1
ip
has a high security vulnerabilitysocks@2.7.3
no longer has a dependency onip
, but it seems like somewhere up the chain, something is installing2.7.1
exactly rather than going to2.7.3
this bump should help prevent that.