Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[pac-resolver] Remove ip dependency #281

Merged
merged 1 commit into from
Feb 12, 2024
Merged

[pac-resolver] Remove ip dependency #281

merged 1 commit into from
Feb 12, 2024

Conversation

viktor-urbanas-qatalog
Copy link
Contributor

@viktor-urbanas-qatalog viktor-urbanas-qatalog commented Feb 9, 2024
edited
Loading

There is a high severity vulnerability in the https://github.com/indutny/node-ip package

Unfortunately this package was updated long time ago and seems to be dead

This PR aims to fix the aforementioned issue by getting rid of the node-ip dependency in favour of using copied parts of code which are used in this lib

Fixes: #280

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Feb 9, 2024
edited
Loading

🦋 Changeset detected

Latest commit: f1b4210

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
pac-resolver Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel Vercel
Copy link

vercel bot commented Feb 9, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Updated (UTC)
proxy-agents ✅ Ready (Inspect) Visit Preview Feb 12, 2024 8:57am

@viktor-urbanas-qatalog viktor-urbanas-qatalog changed the title fix(proxy-agent): ditch ip npm dependency fix(pac-resolver): ditch ip npm dependency Feb 9, 2024
lyricnz
lyricnz approved these changes Feb 10, 2024
View reviewed changes
Copy link

@lyricnz lyricnz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup

@dawidurbanski
Copy link

dawidurbanski commented Feb 10, 2024
edited
Loading

It's great to see this change. Should be ok since only affected functions are ip.isPrivate and ip.isPublic and this package is not relying on them at all.

But, the whole proxy-agent will still depend on the ip package through socks-proxy-agent:

│ └─┬ socks-proxy-agent 8.0.2
          │   └─┬ socks 2.7.1
          │     └── ip 2.0.0

The alert states that all versions affected are <= 1.1.8, and that there are no patched versions while the newest version is 2.0.0.

This means technically 2.0.0 is still vulnerable, but it won't trigger the advisory audit issue.

Since we know this package does not use any of the affected functions (isPublic or isPrivate), we could just bump ip package to 2.0.0, to get rid of the warning instead of moving the code into this repo.

This was referenced Feb 10, 2024
Closed
Closed
@G-Rath
Copy link

G-Rath commented Feb 10, 2024

I've created github/advisory-database#3504 updating the advisory to include v2, and Josh has said they'll get it removed from socks.

This PR should be fine to land in parallel since it's a separate change, reduced the advisory count overall, and hopefully the socks fix will be non-breaking meaning no further changes will be needed for these packages (people will just be able to npm update socks).

@wvanderdeijl
Copy link

socks has released version 2.7.3 that removes the ip dependency: https://github.com/JoshGlazebrook/socks/releases/tag/2.7.3

@viktor-urbanas-qatalog viktor-urbanas-qatalog changed the title fix(pac-resolver): ditch ip npm dependency fix: ditch ip npm dependency Feb 12, 2024
@w3nl w3nl mentioned this pull request Feb 12, 2024
Closed
@devm33 devm33 mentioned this pull request Feb 12, 2024
Closed
rodoabad
rodoabad approved these changes Feb 12, 2024
View reviewed changes
Copy link

@rodoabad rodoabad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ship it.

@TooTallNate TooTallNate changed the title fix: ditch ip npm dependency [pac-resolver] Remove ip dependency Feb 12, 2024
@TooTallNate TooTallNate merged commit a954da3 into TooTallNate:main Feb 12, 2024
29 checks passed
@rodoabad
Copy link

Thanks, Nate!

@TooTallNate TooTallNate mentioned this pull request Feb 13, 2024
Closed
@G-Rath G-Rath mentioned this pull request Feb 14, 2024
Closed
@amarbardolia amarbardolia mentioned this pull request Jul 2, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@G-Rath G-Rath G-Rath left review comments

@victorfern91 victorfern91 victorfern91 approved these changes

@rodoabad rodoabad rodoabad approved these changes

@lyricnz lyricnz lyricnz approved these changes

Assignees
No one assigned
Labels
pac-resolver
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Vulnerability for ip package in pac-resolver
8 participants
@viktor-urbanas-qatalog @dawidurbanski @G-Rath @wvanderdeijl @rodoabad @lyricnz @victorfern91 @TooTallNate