-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
Socks package depends on vulnerable package ip
#93
Comments
I'll work on removing it later today. |
2.7.3 is published - https://www.npmjs.com/package/socks/v/2.7.3 |
markhepburn
added a commit
to IMASau/Seamap
that referenced
this issue
Feb 19, 2024
GHSA-78xj-cgh5-2h22 ip was used by socks JoshGlazebrook/socks#93 (comment) (also by storybook but I'm not worried about that), so we upgrade socks. The ip package itself seems dead.
This was referenced Apr 9, 2024
This was referenced Apr 20, 2024
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
This package relies on a vulnerable
ip
package.GHSA-78xj-cgh5-2h22
The report says the affected versions are below
1.1.8
without any patched versions (latest is2.0.0
, which this package relies on).I took a moment to reproduce the vulnerability in
2.0.0
and this version is also affected (but not seen in npm audit, due to version constraint in the advisory database).Maybe consider removing
ip
as dependency.This package seems to be dead, especially looking at the discousure timeline in the report:
Is this package affected
The only two vulnerable functions from the
ip
package areisPublic
andisPrivate
.I didn't look through the code but you probably should ignore this if this package is not using these functions.
In such case this probably should be revisited only in case of the advisory database update stating the
2.0.0
package is also affected (making this package a culprit in thenpm audit
). Until then it's probably safe to ignore.Related:
ip
dependency TooTallNate/proxy-agents#281The text was updated successfully, but these errors were encountered: