Please bump "socks" to "^2.7.3" in socks-proxy-agent to resolve CVE-2023-42282

[bpneal]

Please bump "socks" to "^2.7.3" in socks-proxy-agent to resolve CVE-2023-42282

https://nvd.nist.gov/vuln/detail/CVE-2023-42282

[bpneal]

https://github.com/TooTallNate/proxy-agents/pull/294

[TooTallNate]

It's not necessary, because the semver range (the ^) already allows for 2.7.3 to be installed. Run npm upgrade to update your dependencies.

[bpneal]

It would appear that the lock file is forcing it to the bad version https://github.com/TooTallNate/proxy-agents/blob/main/pnpm-lock.yaml#L5124

[MartinFalatic]

Same issue here: No matter what, socks won't update higher than 2.7.1

Before updates to fix the ip vuln:

└─┬ pm2@5.3.1
  └─┬ @pm2/agent@2.0.3
    └─┬ proxy-agent@6.3.1
      ├─┬ pac-proxy-agent@7.0.1
      │ └─┬ pac-resolver@7.0.0
      │   └── ip@1.1.8
      └─┬ socks-proxy-agent@8.0.2
        └─┬ socks@2.7.1
          └── ip@2.0.0

after npm update pac-resolver:

└─┬ pm2@5.3.1
  └─┬ @pm2/agent@2.0.3
    └─┬ proxy-agent@6.3.1
      └─┬ socks-proxy-agent@8.0.2
        └─┬ socks@2.7.1
          └── ip@2.0.0

Running npm update socks still does NOT update socks to 2.7.3.

[MartinFalatic]

@bpneal @TooTallNate I suspect this might be a problem with an inconsistency in socks@2.7.3 itself (see linked issue above).

[JoshGlazebrook]

Okay I've published socks@2.7.4 and I also published socks@2.8.1 both with correct package-lock.json

I think this should fix the semver upgrades for the 2.7.x versions, and 2.8.1 should fix it for the 2.8.0 that was published under a beta tag.

[MartinFalatic]

And if you're still having problems, clear your npm cache too.