Closed bpneal closed 7 months ago
It's not necessary, because the semver range (the ^
) already allows for 2.7.3 to be installed. Run npm upgrade
to update your dependencies.
It would appear that the lock file is forcing it to the bad version https://github.com/TooTallNate/proxy-agents/blob/main/pnpm-lock.yaml#L5124
Same issue here: No matter what, socks won't update higher than 2.7.1
Before updates to fix the ip
vuln:
└─┬ pm2@5.3.1
└─┬ @pm2/agent@2.0.3
└─┬ proxy-agent@6.3.1
├─┬ pac-proxy-agent@7.0.1
│ └─┬ pac-resolver@7.0.0
│ └── ip@1.1.8
└─┬ socks-proxy-agent@8.0.2
└─┬ socks@2.7.1
└── ip@2.0.0
after npm update pac-resolver
:
└─┬ pm2@5.3.1
└─┬ @pm2/agent@2.0.3
└─┬ proxy-agent@6.3.1
└─┬ socks-proxy-agent@8.0.2
└─┬ socks@2.7.1
└── ip@2.0.0
Running npm update socks
still does NOT update socks to 2.7.3.
@bpneal @TooTallNate I suspect this might be a problem with an inconsistency in socks@2.7.3
itself (see linked issue above).
Okay I've published socks@2.7.4 and I also published socks@2.8.1 both with correct package-lock.json
I think this should fix the semver upgrades for the 2.7.x versions, and 2.8.1 should fix it for the 2.8.0 that was published under a beta tag.
And if you're still having problems, clear your npm cache too.
Please bump "socks" to "^2.7.3" in socks-proxy-agent to resolve CVE-2023-42282
https://nvd.nist.gov/vuln/detail/CVE-2023-42282