Vulnerability for ip package in proxy-agent

[devm33]

FYI @datadog/datadog-ci has a transitive dependency (through proxy-agent) on a vulnerable version of ip: NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks - GHSA-78xj-cgh5-2h22

Output from npm audit:

fix available via `npm audit fix --force`
Will install @datadog/datadog-ci@0.3.1, which is a breaking change
node_modules/pac-resolver/node_modules/ip
  pac-resolver  >=1.3.0
  Depends on vulnerable versions of ip
  node_modules/pac-resolver
    pac-proxy-agent  >=1.1.0
    Depends on vulnerable versions of pac-resolver
    node_modules/pac-proxy-agent
      proxy-agent  >=2.1.0
      Depends on vulnerable versions of pac-proxy-agent
      node_modules/proxy-agent
        @datadog/datadog-ci  >=0.3.2
        Depends on vulnerable versions of proxy-agent
        node_modules/@datadog/datadog-ci

Issue in proxy-agents monorepo: TooTallNate/proxy-agents#280

Please update dependency if/when TooTallNate/proxy-agents#281 is merged and published.

[Drarig29]

Will install @datadog/datadog-ci@0.3.1

Hi @devm33! The version 0.3.1 of datadog-ci is very outdated.
Please consider upgrading to the latest version!

I'll close the issue, since we don't have this vulnerability anymore.

[devm33]

@Drarig29 0.3.1 is the version npm audit was trying to downgrade to in order to avoid the security vulnerability in ip since all versions >=0.3.2 were affected, as it notes.

@datadog/datadog-ci at 2.30.0 depends on proxy-agent ^6.3.0 src

However, since proxy-agent@6.3.0 specifies http-proxy-agent with the constraint ^7.0.0 now that http-proxy-agent is fixed at 7.0.1 npm audit can just update it without changing proxy-agent or @datadog/datadog-ci.

It's still worth updating the yarn.lock here though since it still has the affected version of ip <= 2.0.0 src

[Drarig29]

Thanks @devm33, sorry for the misunderstanding 🙇