Nodejs using vulnerable package for ip

[rovindra]

Version

v21.6.2

Platform

Linux 3aa06663b056 6.6.12-linuxkit #1 SMP PREEMPT_DYNAMIC Tue Jan 30 09:48:40 UTC 2024 x86_64 Linux

Subsystem

ip

What steps will reproduce the bug?

Build container image with node version v21.6.2 and scan it using any image scanning tool available.
It will report the medium severity vulnerability in ip package which is bundled as deps for nodejs here: https://github.com/nodejs/node/blob/main/deps/npm/node_modules/ip/package.json
You can also find the more information about this vulnerability here: GHSA-78xj-cgh5-2h22

How often does it reproduce? Is there a required condition?

No response

What is the expected behavior? Why is that the expected behavior?

You should change the ip package version to 2.0.1.

What do you see instead?

Medium Severity Vulnerability

Additional information

No response

[VoltrexKeyva]

If you use npm ls -g ip you can pinpoint exactly what depends on it, in this case npm depends on make-fetch-happen which in turn depends on @npmcli/agent which depends on socks-proxy-agent. socks-proxy-agent depends on socks but socks removed the ip package in JoshGlazebrook/socks@66b7f73, so to fix this the socks version must be bumped here in socks-proxy-agent and release an update, then @npmcli/agent must update to the new version of socks-proxy-agent and release an update, and then make-fetch-happen must update to the new version of @npmcli/agent and release an update, and finally npm must update to the new version of make-fetch-happen... 😅

[rovindra]

Yes agree with you its a very long chain. Lets see what we can do as it should be fixed.

[joyeecheung]

Or, it seems npm CLI is only using make-fetch-happen here: https://github.com/npm/cli/blob/95b505738a73ba740227a41b8c7c87013af5acaf/lib/commands/doctor.js#L197 which can be replaced with the global fetch since Node.js v18...

[mhdawson]

Discussion on this issue in npm repo - npm/cli#7216

[mhdawson]

I think we should move this to https://github.com/nodejs/nodejs-dependency-vuln-assessments. Any concerns with moving it there?

[sidewaiise]

This is causing some issues with our security scanner. We might need to delete the dependency as part of the build process until it's fixed in the base images.

using base image node:18-alpine

[michaelact]

This is causing some issues with our security scanner. We might need to delete the dependency as part of the build process until it's fixed in the base images.

using base image node:18-alpine

How did you manage to remove it?

[kl4072]

when do we have a fix on Node version 20 ? ip is still referencing 2.0.0