security vulnerability using socks@2.7.1

[yonayarin]

• [] I have searched for similar issues
• [] I am using the latest version of npm-check-updates
• [] I am using node >= 14.14

---

Lately I started to get some security vulnerability from this package.

└─┬ npm-check-updates@16.14.20
└─┬ make-fetch-happen@11.1.1
└─┬ socks-proxy-agent@7.0.0
└─┬ socks@2.7.1
└── ip@2.0.0

socks package in this version uses "ip" version "2.0.0" - full issue description nodejs/node#51848
Here is another report of this issue - npm/cli#7223

Will be happy if you can update versions accordingly to remove this issued dependency.

Steps to Reproduce

Steps:

Run CI with npm-check-updates@16.14.20 installed

Current Behavior

Display security vulnerability.

Expected Behavior

[raineorshine]

Thanks for reporting. I added it to overrides since the patch has not yet trickled up the dependency chain.

It will be published in the next release, which is currently blocked by #1404.

[wilhen01]

Bumping this - version 12.0.0 and later of make-fetch-happen removes the socks-proxy-agent so should resolve this by getting rid of ip in the chain entirely.

[raineorshine]

Thanks. I don't think #1404 is going to happen, so I just need to do a major release with what we have now.

I'm traveling next week, but will make some time soon.