Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Socks package depends on vulnerable package ip #93

Closed
dawidurbanski opened this issue Feb 10, 2024 · 2 comments
Closed

Socks package depends on vulnerable package ip #93

dawidurbanski opened this issue Feb 10, 2024 · 2 comments

Comments

@dawidurbanski
Copy link

dawidurbanski commented Feb 10, 2024
edited
Loading

This package relies on a vulnerable ip package.

GHSA-78xj-cgh5-2h22

The report says the affected versions are below 1.1.8 without any patched versions (latest is 2.0.0, which this package relies on).

I took a moment to reproduce the vulnerability in 2.0.0 and this version is also affected (but not seen in npm audit, due to version constraint in the advisory database).

Maybe consider removing ip as dependency.

This package seems to be dead, especially looking at the discousure timeline in the report:

Disclosure Timeline
14 December 2022 - First Contact (via huntr):
17 January 2023 - Reminder (No Response)
28 February 2023 - Reminder (No Response)
8 February 2024 - Public Disclosure

Is this package affected

The only two vulnerable functions from the ip package are isPublic and isPrivate.

I didn't look through the code but you probably should ignore this if this package is not using these functions.

In such case this probably should be revisited only in case of the advisory database update stating the 2.0.0 package is also affected (making this package a culprit in the npm audit). Until then it's probably safe to ignore.

Related:
@dawidurbanski dawidurbanski mentioned this issue Feb 10, 2024
Closed
@JoshGlazebrook
Copy link
Owner

I'll work on removing it later today.

@G-Rath G-Rath mentioned this issue Feb 10, 2024
Merged
@JoshGlazebrook
Copy link
Owner

2.7.3 is published - https://www.npmjs.com/package/socks/v/2.7.3

#94

@danjm danjm mentioned this issue Feb 13, 2024
Merged
@afcgoncalves afcgoncalves mentioned this issue Feb 15, 2024
Closed
markhepburn added a commit to IMASau/Seamap that referenced this issue Feb 19, 2024
@markhepburn
Upgrade Socks package to remove vulnerable ip package
30347c2 
GHSA-78xj-cgh5-2h22

ip was used by socks
JoshGlazebrook/socks#93 (comment) (also
by storybook but I'm not worried about that), so we upgrade socks.
The ip package itself seems dead.
This was referenced Apr 9, 2024
Open
Merged
This was referenced Apr 20, 2024
Merged
Open
Open
@caputomarcos caputomarcos mentioned this issue Aug 29, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JoshGlazebrook @dawidurbanski