diff --git a/package.json b/package.json index 3143baa6b4..f496215770 100644 --- a/package.json +++ b/package.json @@ -100,24 +100,31 @@ "webpack-subresource-integrity": "^5.1.0", "yargs": "^17.7.2" }, - "resolutions": { - "axios": "^1.6.0", - "dns-packet": "^1.3.2", - "follow-redirects": "^1.15.4", - "glob-parent": "^5.1.2", - "lodash": "^4.17.21", - "merge": "^2.1.1", - "minimist": "^0.2.4", - "postcss": "^8.4.31", - "semver": "^7.5.2", - "serialize-javascript": "^3.1.0", - "set-value": "^2.0.1", - "string_decoder": "^1.3.0", - "tough-cookie": "^4.1.3", - "underscore": "1.12.1", - "url-parse": "^1.5.0", - "word-wrap": "^1.2.4", - "y18n": "^4.0.1" + "pnpm": { + "overrides": { + "axios": "^1.6.0", + "dns-packet": "^1.3.2", + "follow-redirects": "^1.15.4", + "glob-parent": "^5.1.2", + "lodash": "^4.17.21", + "merge": "^2.1.1", + "minimist": "^0.2.4", + "postcss": "^8.4.31", + "semver": "^7.5.2", + "serialize-javascript": "^3.1.0", + "set-value": "^2.0.1", + "socks": "^2.7.3", + "string_decoder": "^1.3.0", + "tough-cookie": "^4.1.3", + "underscore": "1.12.1", + "url-parse": "^1.5.0", + "word-wrap": "^1.2.4", + "y18n": "^4.0.1" + }, + "overrides-explanation": { + "WHAT IS THIS SECTION": "pnpm ignores this section and comments aren't allowed in JSON files. This section documents why the above overrides have been put in place. If you add an override, describe it in this section.", + "socks": "There is a vulnerability in the ip package which has no fix. We consume ip via socks (eventually via lerna). Socks released a new version that removed the ip dependency. We are using this newer version of socks to avoid the vulnerability. If ip is ever updated or lerna (or any package in the chain) eventually updates to a version of socks that doesn't depend on ip, we can remove this override" + } }, "dependencies": { "uuid": "^9.0.0" diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 300f3d55ed..606b48e282 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -12,6 +12,7 @@ overrides: semver: ^7.5.2 serialize-javascript: ^3.1.0 set-value: ^2.0.1 + socks: ^2.7.3 string_decoder: ^1.3.0 tough-cookie: ^4.1.3 underscore: 1.12.1 @@ -8309,12 +8310,16 @@ packages: engines: {node: '>=10.13.0'} dev: true - /ip@1.1.8: - resolution: {integrity: sha512-PuExPYUiu6qMBQb4l06ecm6T6ujzhmh+MeJcW9wa89PoAz5pvd4zPgN5WJV104mb6S2T1AwNIAaB70JNrLQWhg==} + /ip-address@9.0.5: + resolution: {integrity: sha512-zHtQzGojZXTwZTHQqra+ETKd4Sn3vgi7uBmlPoXVWZqYvuKmtI0l/VZTjqGmJY9x88GGOaZ9+G9ES8hC4T4X8g==} + engines: {node: '>= 12'} + dependencies: + jsbn: 1.1.0 + sprintf-js: 1.1.3 dev: true - /ip@2.0.0: - resolution: {integrity: sha512-WKa+XuLG1A1R0UWhl2+1XQSi+fZWMsYKffMZTTYsiZaUD8k2yDAj5atimTUD2TZkyCkNEeYE5NhFZmupOGtjYQ==} + /ip@1.1.8: + resolution: {integrity: sha512-PuExPYUiu6qMBQb4l06ecm6T6ujzhmh+MeJcW9wa89PoAz5pvd4zPgN5WJV104mb6S2T1AwNIAaB70JNrLQWhg==} dev: true /ipaddr.js@1.9.1: @@ -9227,6 +9232,10 @@ packages: argparse: 2.0.1 dev: true + /jsbn@1.1.0: + resolution: {integrity: sha512-4bYVV3aAMtDTTu4+xsDYa6sy9GyJ69/amsu9sYF2zqjiEoZA5xJi3BrfX3uY+/IekIu7MwdObdbDWpoZdBv3/A==} + dev: true + /jsdom@20.0.3: resolution: {integrity: sha512-SYhBvTh89tTfCD/CRdSOm13mOBa42iTaTyfyEWBdKcGdPxPtLFBXuHR8XHb33YNYaP+lLbmSvBTsnoesCNJEsQ==} engines: {node: '>=14'} @@ -12016,16 +12025,16 @@ packages: dependencies: agent-base: 6.0.2 debug: 4.3.4 - socks: 2.7.1 + socks: 2.7.3 transitivePeerDependencies: - supports-color dev: true - /socks@2.7.1: - resolution: {integrity: sha512-7maUZy1N7uo6+WVEX6psASxtNlKaNVMlGQKkG/63nEDdLOWNbiUMoLK7X4uYoLhQstau72mLgfEWcXcwsaHbYQ==} - engines: {node: '>= 10.13.0', npm: '>= 3.0.0'} + /socks@2.7.3: + resolution: {integrity: sha512-vfuYK48HXCTFD03G/1/zkIls3Ebr2YNa4qU9gHDZdblHLiqhJrJGkY3+0Nx0JpN9qBhJbVObc1CNciT1bIZJxw==} + engines: {node: '>= 10.0.0', npm: '>= 3.0.0'} dependencies: - ip: 2.0.0 + ip-address: 9.0.5 smart-buffer: 4.2.0 dev: true @@ -12123,6 +12132,10 @@ packages: resolution: {integrity: sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw=} dev: true + /sprintf-js@1.1.3: + resolution: {integrity: sha512-Oo+0REFV59/rz3gfJNKQiBlwfHaSESl1pcGyABQsnnIfWOFt6JNj5gCog2U6MLZ//IGYD+nA8nI+mTShREReaA==} + dev: true + /ssri@10.0.4: resolution: {integrity: sha512-12+IR2CB2C28MMAw0Ncqwj5QbTcs0nGIhgJzYWzDkb21vWmfNI83KS4f3Ci6GI98WreIfG7o9UXp3C0qbpA8nQ==} engines: {node: ^14.17.0 || ^16.13.0 || >=18.0.0}