NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks

[nbouvrette]

The issue below seems to be tracked here: TooTallNate/proxy-agents#280

Once a solution is found, release-it can update its packages to get the fix.

ip  <=1.1.8
Severity: high
NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks - https://github.com/advisories/GHSA-78xj-cgh5-2h22
fix available via `npm audit fix --force`
Will install release-it@14.14.2, which is a breaking change
node_modules/ip
  pac-resolver  >=1.3.0
  Depends on vulnerable versions of ip
  node_modules/pac-resolver
    pac-proxy-agent  >=1.1.0
    Depends on vulnerable versions of pac-resolver
    node_modules/pac-proxy-agent
      proxy-agent  >=2.1.0
      Depends on vulnerable versions of pac-proxy-agent
      node_modules/proxy-agent
        release-it  0.0.0-pl.0 || >=14.14.3
        Depends on vulnerable versions of proxy-agent
        node_modules/release-it
          @release-it/conventional-changelog  >=5.1.0
          Depends on vulnerable versions of release-it
          node_modules/@release-it/conventional-changelog

6 high severity vulnerabilities

[av-k]

As far as I can see there are no updates.
As a temporary fix, the next code snippet could be used in package.json (npm overrides field):

  "overrides": {
    "release-it": {
      "proxy-agent": "6.4.0"
    }
  }

where is "proxy-agent": "6.4.0" is a fixed version.

[brock-rb2t]

+1 to this issue

[webpro]

🚀 This issue has been resolved in v17.0.4. See Release 17.0.4 for release notes.