Update socks dep to remove security alert

[ekohilas]

npm@10.4.0 has an indirect dependency on ip via socks@2.7.1

ip has a high security vulnerability

socks@2.7.3 no longer has a dependency on ip, but it seems like somewhere up the chain, something is installing 2.7.1 exactly rather than going to 2.7.3

this bump should help prevent that.

[changeset-bot]

🦋 Changeset detected

Latest commit: 79c7ed4

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
socks-proxy-agent	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated (UTC)
proxy-agents	❌ Failed (Inspect)		Feb 19, 2024 3:58am

[TooTallNate]

Thanks, but I've explained here about the npm case. Bumping here isn't going to fix anything, a new release needs to happen on npm's end to upgrade its bundled dependencies.

[pumano]

@TooTallNate it's released, but npm audit checks only deps versions used in package.json tree and if you merge it, it should not show vulnerability.

[TooTallNate]

npm audit checks only deps versions used in package.json

That is incorrect. See below:

$ npm audit
found 0 vulnerabilities

$ npm ls -a
└─┬ socks-proxy-agent@8.0.2
  ├─┬ agent-base@7.1.0
  │ └── debug@4.3.4 deduped
  ├─┬ debug@4.3.4
  │ └── ms@2.1.2
  └─┬ socks@2.7.3
    ├─┬ ip-address@9.0.5
    │ ├── jsbn@1.1.0
    │ └── sprintf-js@1.1.3
    └── smart-buffer@4.2.0

Even with the current socks-proxy-agent release, socks@2.7.3 is installed, which does not have the ip dependency.

[pumano]

looks like I need to delete node_modules and then results from npm audit is better. Thanks