Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Security upgrade socks from 2.7.1 to 2.7.2 #3989

Closed
wants to merge 2 commits into from
Closed

[Snyk] Security upgrade socks from 2.7.1 to 2.7.2 #3989

wants to merge 2 commits into from

Conversation

admin-token-bot
Copy link
Contributor

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 823/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 8.6		 Server-side Request Forgery (SSRF)
SNYK-JS-IP-6240864		 No Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: socks The new version differs by 4 commits.

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Server-side Request Forgery (SSRF)

@abhishandilya
Copy link

Can we please upgrade socks to 2.7.3 which removes "ip" from the dependencies?

@yukha-dw
Copy link

yukha-dw commented Feb 15, 2024
edited
Loading

I believe there's an issue on their versioning, version 2.7.2 and 2.7.3 are identical. But, only verison 2.7.3 is registered in their GitHub.

@afcgoncalves
Copy link

Should be 2.7.3 as mentioned in JoshGlazebrook/socks#93 (comment)

@mertssmnoglu
Copy link

There is an open PR for this. It's also includes other peer and dev dependencies.

#3994

@nbbeeken
Copy link
Contributor

Hey folks, this automated PR and the related #3994 are not going to have any downstream effect.

The MongoDB driver v6 depends on socks as an optional peer dependency which means the version you install should be managed by your project's package.json. Since we use ^2.7.1 as the permitted range this means any minor or patch version above that should be installable and compatible with the driver.

The v5 and v4 versions of the driver have socks as a dependency but with the same semver range. The means npm will allow socks versions later than 2.7.1 to be installed alongside the driver and consider them compatible. Probably, the easiest way to get socks to upgrade is: npm rm mongodb && npm i mongodb@VERSION where VERSION was the current driver version you are using.

We'll still be upgrading the devDependency for our sake in the other PR so, I'll close this.

@nbbeeken nbbeeken closed this Feb 15, 2024
@aditi-khare-mongoDB aditi-khare-mongoDB mentioned this pull request Feb 21, 2024
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@denzilgupta denzilgupta denzilgupta approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@admin-token-bot @abhishandilya @yukha-dw @afcgoncalves @mertssmnoglu @nbbeeken @denzilgupta @snyk-bot