Open AloisSeckar opened 4 months ago
This can be manually fixed in package.json
by overriding proxy-agent
for now. When puppeteer does so in their dependencies, it will organically find its way into backstop.
For example:
"pnpm": {
"overrides": {
"proxy-agent@<6.4.0": "^6.4.0"
}
}
Various audit
utilities should pick up on the patch as well.
See overrides.
Thank you for quick solution
Just noticed Dependabot's security alert in my project regarding SSRF vulnerability of
ip 1.1.8
. The dependency is being imported throughpuppeteer
.They already have issue in there, so I guess they will mitigate it sooner or later, although it looks the
ip
is currently not being developed. But once it is done, a new version ofbackstopjs
will be required, so I am opening this to get attention.Currently it is possible to shift back to version
6.2.2
which depends on older (and also unmaintained) version ofpupetteer
, but this is obviously not the ideal solution.