Derived security vulnerability from `ip` package through `puppeteer` dependency

[AloisSeckar]

Just noticed Dependabot's security alert in my project regarding SSRF vulnerability of ip 1.1.8. The dependency is being imported through puppeteer.

They already have issue in there, so I guess they will mitigate it sooner or later, although it looks the ip is currently not being developed. But once it is done, a new version of backstopjs will be required, so I am opening this to get attention.

Currently it is possible to shift back to version 6.2.2 which depends on older (and also unmaintained) version of pupetteer, but this is obviously not the ideal solution.

[dgrebb]

This can be manually fixed in package.json by overriding proxy-agent for now. When puppeteer does so in their dependencies, it will organically find its way into backstop.

For example:

  "pnpm": {
    "overrides": {
      "proxy-agent@<6.4.0": "^6.4.0"
    }
  }

Various audit utilities should pick up on the patch as well.

See overrides.

[AloisSeckar]

Thank you for quick solution