Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] release npm with upgraded dependencies to address critical CVE-2023-42282 #7223

Closed
2 tasks done
lalexl opened this issue Feb 15, 2024 · 10 comments
Closed
2 tasks done

[BUG] release npm with upgraded dependencies to address critical CVE-2023-42282 #7223

lalexl opened this issue Feb 15, 2024 · 10 comments
Labels
Bug thing that needs fixing Needs Triage needs review for next steps Release 10.x

Comments

@lalexl
Copy link

lalexl commented Feb 15, 2024
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

npm includes nested dependency socks@2.7.1 impacted by Critical vulnerability in ip@2.0.0 CVE-2023-42282
socks@2.7.3 replaces this dependency

├─┬ make-fetch-happen@13.0.0
│ ├─┬ @npmcli/agent@2.1.1
│ │ ├─┬ http-proxy-agent@7.0.0
│ │ │ ├─┬ agent-base@7.1.0
│ │ │ │ └── debug@4.3.4 deduped
│ │ │ └── debug@4.3.4 deduped
│ │ ├─┬ https-proxy-agent@7.0.1
│ │ │ ├── agent-base@7.1.0 deduped
│ │ │ └── debug@4.3.4 deduped
│ │ ├── lru-cache@10.0.1 deduped
│ │ └─┬ socks-proxy-agent@8.0.1
│ │   ├── agent-base@7.1.0 deduped
│ │   ├── debug@4.3.4 deduped
│ │   └─┬ socks@2.7.1
│ │     ├── ip@2.0.0

Expected Behavior

npm shouldn't include any npm packages with Critical vulnerabilities.

Steps To Reproduce

  1. Any environment
  2. Out of the box new npm install
  3. Run any security scan available

Environment

  • npm: 10.4.0
  • Node.js:
  • OS Name: RedHat ubi8
@lalexl lalexl added Bug thing that needs fixing Needs Triage needs review for next steps Release 10.x labels Feb 15, 2024
@brock-rb2t
Copy link

thanks for adding! I guess the best response is for npm to update their version of socks, and then devextreme-cli can update their version of npm. Right?

@invariants invariants mentioned this issue Feb 17, 2024
Closed
@ghost
Copy link

ghost commented Feb 19, 2024
edited by ghost
Loading

Issue was addressed in ip package 2.0.1, so a package-lock update / release should do the trick for now too.
indutny/node-ip@32f468f

@invariants
Copy link

Unfortunately, this is not enough because of the bundleDependencies Key, see: TooTallNate/proxy-agents#288 (comment)

@mihob
Copy link

mihob commented Feb 20, 2024

Any news on this topic?

@nam-nguyen-clv nam-nguyen-clv mentioned this issue Feb 20, 2024
Closed
@nam-nguyen-clv
Copy link

Duplicated issue #7216

@pog-charlesinglese
Copy link

I'd like to request kindly for a new release of npm that isn't dependent directly/indirectly on a vulnerable version of ip module.

@ljharb
Copy link
Collaborator

ljharb commented Feb 21, 2024

Duplicate of #7216.

@ljharb ljharb closed this as not planned Won't fix, can't repro, duplicate, stale Feb 21, 2024
@errodrigues
Copy link

I'm sorry but how is this closed? What's the solution here?

@agforero
Copy link

agforero commented Feb 21, 2024
edited
Loading

@errodrigues This is closed because it's a duplicate of #7216. If you're interested in this, you should follow that thread instead.

@errodrigues
Copy link

Thank you.

@yonayarin yonayarin mentioned this issue May 9, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug thing that needs fixing Needs Triage needs review for next steps Release 10.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@ljharb @errodrigues @lalexl @invariants @brock-rb2t @mihob @agforero @nam-nguyen-clv @pog-charlesinglese