search

vercel / turbo

Incremental bundler and build system optimized for JavaScript and TypeScript, written in Rust – including Turbopack and Turborepo.
https://turbo.build
MIT License
25.52k stars 1.73k forks source link

Security vulnerability of turbo gen #8483

Open ghdtjgus76 opened 2 weeks ago

ghdtjgus76 commented 2 weeks ago

Verify canary release

Link to code that reproduces this issue

.

What package manager are you using / does the bug impact?

pnpm

What operating system are you using?

Mac

Which canary version will you have in your reproduction?

turbo@2.0.4-canary.4

Describe the Bug

turbo/gen relies on proxy-agent, which in turn depends on pac-proxy-agent and socks-proxy-agent. pac-proxy-agent uses pac-resolver and socks-proxy-agent. socks-proxy-agent depends on the socks package, and both pac-resolver and socks depend on the ip package. As indicated in the reference below, using the ip package can lead to security issues, which will be flagged as vulnerabilities in the repository's security tab.

https://github.com/advisories/GHSA-78xj-cgh5-2h22 https://github.com/indutny/node-ip/issues/150

Expected Behavior

It seems that the ip package is currently not actively maintained. To address such issues, it might be beneficial to consider modifying the package.

To Reproduce

.

Additional context

No response

devjiwonchoi commented 2 weeks ago

Maybe https://github.com/vercel/turbo/security/policy ?

nguyenlam123 commented 1 week ago

Hello all! 👋

I'm wondering if there is patch planned for this for version 1 of turbo?

Thanks in advance! 🙇