Request for patched semantic-release version to address ip package vulnerability (CVE-2023-42282) #3202
Comments
|
FYI - |
|
our dependency on socks/ip comes through npm. npm bundles their dependencies, so there is nothing we can do until there is an npm release that resolves the issue. once that happens, our dependency on npm is defined as a range, so anyone can use the latest npm version as soon as it is available without any change from our team. we will likely tighten our supported range to force the update, but no one should be blocked by our change being released. |
|
For what it's worth, the vulnerable code does not appear to be used by It is therefore not used by |
|
npm has updated their dependency here to reference ip 2.0.1 - npm/cli#7242. So, now can we expect a patch release with updated dependencies ? |
see #3202 (comment). there is nothing we can do until there is a new release of npm. even so, there is no risk other than it being reported by whatever tool you happen to be using. |
|
It looks like npm package has now released a new version https://github.com/npm/cli/blob/latest/CHANGELOG.md |
travi
added a commit
to semantic-release/npm
that referenced
this issue
Mar 1, 2024
gr2m
pushed a commit
to semantic-release/npm
that referenced
this issue
Mar 1, 2024
xkrishguptaa
pushed a commit
to xkrishguptaa/trevenant
that referenced
this issue
Mar 2, 2024
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [@semantic-release/npm](https://togithub.com/semantic-release/npm) | [`11.0.2` -> `11.0.3`](https://renovatebot.com/diffs/npm/@semantic-release%2fnpm/11.0.2/11.0.3) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>semantic-release/npm (@​semantic-release/npm)</summary> ### [`v11.0.3`](https://togithub.com/semantic-release/npm/releases/tag/v11.0.3) [Compare Source](https://togithub.com/semantic-release/npm/compare/v11.0.2...v11.0.3) ##### Bug Fixes - **deps:** raised the minimum accepted range of npm to v10.5.0 ([#​759](https://togithub.com/semantic-release/npm/issues/759)) ([a0313f8](https://togithub.com/semantic-release/npm/commit/a0313f82060ec344d77443a9b1b28e87178dcf78)), closes [semantic-release/semantic-release#3202](https://togithub.com/semantic-release/semantic-release/issues/3202) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/xkrishguptaa/trevenant). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMjAuMiIsInVwZGF0ZWRJblZlciI6IjM3LjIyMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
xkrishguptaa
pushed a commit
to xkrishguptaa/reseter.css
that referenced
this issue
Mar 2, 2024
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [@semantic-release/npm](https://togithub.com/semantic-release/npm) | [`11.0.2` -> `11.0.3`](https://renovatebot.com/diffs/npm/@semantic-release%2fnpm/11.0.2/11.0.3) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [autoprefixer](https://togithub.com/postcss/autoprefixer) | [`10.4.17` -> `10.4.18`](https://renovatebot.com/diffs/npm/autoprefixer/10.4.17/10.4.18) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>semantic-release/npm (@​semantic-release/npm)</summary> ### [`v11.0.3`](https://togithub.com/semantic-release/npm/releases/tag/v11.0.3) [Compare Source](https://togithub.com/semantic-release/npm/compare/v11.0.2...v11.0.3) ##### Bug Fixes - **deps:** raised the minimum accepted range of npm to v10.5.0 ([#​759](https://togithub.com/semantic-release/npm/issues/759)) ([a0313f8](https://togithub.com/semantic-release/npm/commit/a0313f82060ec344d77443a9b1b28e87178dcf78)), closes [semantic-release/semantic-release#3202](https://togithub.com/semantic-release/semantic-release/issues/3202) </details> <details> <summary>postcss/autoprefixer (autoprefixer)</summary> ### [`v10.4.18`](https://togithub.com/postcss/autoprefixer/blob/HEAD/CHANGELOG.md#10418) [Compare Source](https://togithub.com/postcss/autoprefixer/compare/10.4.17...10.4.18) - Fixed removing `-webkit-box-orient` on `-webkit-line-clamp` ([@​Goodwine](https://togithub.com/Goodwine)). </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/xkrishguptaa/reseter.css). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMjAuMiIsInVwZGF0ZWRJblZlciI6IjM3LjIyMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
renovate bot
added a commit
to adobe/spacecat-shared
that referenced
this issue
Mar 2, 2024
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [@aws-sdk/client-dynamodb](https://togithub.com/aws/aws-sdk-js-v3/tree/main/clients/client-dynamodb) ([source](https://togithub.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-dynamodb)) | [`3.521.0` -> `3.525.0`](https://renovatebot.com/diffs/npm/@aws-sdk%2fclient-dynamodb/3.521.0/3.525.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [@aws-sdk/client-s3](https://togithub.com/aws/aws-sdk-js-v3/tree/main/clients/client-s3) ([source](https://togithub.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-s3)) | [`3.521.0` -> `3.525.0`](https://renovatebot.com/diffs/npm/@aws-sdk%2fclient-s3/3.521.0/3.525.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [@aws-sdk/client-sqs](https://togithub.com/aws/aws-sdk-js-v3/tree/main/clients/client-sqs) ([source](https://togithub.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-sqs)) | [`3.521.0` -> `3.525.0`](https://renovatebot.com/diffs/npm/@aws-sdk%2fclient-sqs/3.521.0/3.525.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [@aws-sdk/lib-dynamodb](https://togithub.com/aws/aws-sdk-js-v3/tree/main/lib/lib-dynamodb) ([source](https://togithub.com/aws/aws-sdk-js-v3/tree/HEAD/lib/lib-dynamodb)) | [`3.521.0` -> `3.525.0`](https://renovatebot.com/diffs/npm/@aws-sdk%2flib-dynamodb/3.521.0/3.525.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [@semantic-release/npm](https://togithub.com/semantic-release/npm) | [`11.0.2` -> `11.0.3`](https://renovatebot.com/diffs/npm/@semantic-release%2fnpm/11.0.2/11.0.3) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [@typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/typescript-eslint) ([source](https://togithub.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin)) | [`7.0.2` -> `7.1.0`](https://renovatebot.com/diffs/npm/@typescript-eslint%2feslint-plugin/7.0.2/7.1.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [@typescript-eslint/parser](https://togithub.com/typescript-eslint/typescript-eslint) ([source](https://togithub.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser)) | [`7.0.2` -> `7.1.0`](https://renovatebot.com/diffs/npm/@typescript-eslint%2fparser/7.0.2/7.1.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [nock](https://togithub.com/nock/nock) | [`13.5.3` -> `13.5.4`](https://renovatebot.com/diffs/npm/nock/13.5.3/13.5.4) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>aws/aws-sdk-js-v3 (@​aws-sdk/client-dynamodb)</summary> ### [`v3.525.0`](https://togithub.com/aws/aws-sdk-js-v3/blob/HEAD/clients/client-dynamodb/CHANGELOG.md#35250-2024-02-29) [Compare Source](https://togithub.com/aws/aws-sdk-js-v3/compare/v3.523.0...v3.525.0) **Note:** Version bump only for package [@​aws-sdk/client-dynamodb](https://togithub.com/aws-sdk/client-dynamodb) ### [`v3.523.0`](https://togithub.com/aws/aws-sdk-js-v3/blob/HEAD/clients/client-dynamodb/CHANGELOG.md#35230-2024-02-27) [Compare Source](https://togithub.com/aws/aws-sdk-js-v3/compare/v3.521.0...v3.523.0) **Note:** Version bump only for package [@​aws-sdk/client-dynamodb](https://togithub.com/aws-sdk/client-dynamodb) </details> <details> <summary>aws/aws-sdk-js-v3 (@​aws-sdk/client-s3)</summary> ### [`v3.525.0`](https://togithub.com/aws/aws-sdk-js-v3/blob/HEAD/clients/client-s3/CHANGELOG.md#35250-2024-02-29) [Compare Source](https://togithub.com/aws/aws-sdk-js-v3/compare/v3.523.0...v3.525.0) **Note:** Version bump only for package [@​aws-sdk/client-s3](https://togithub.com/aws-sdk/client-s3) ### [`v3.523.0`](https://togithub.com/aws/aws-sdk-js-v3/blob/HEAD/clients/client-s3/CHANGELOG.md#35230-2024-02-27) [Compare Source](https://togithub.com/aws/aws-sdk-js-v3/compare/v3.521.0...v3.523.0) **Note:** Version bump only for package [@​aws-sdk/client-s3](https://togithub.com/aws-sdk/client-s3) </details> <details> <summary>aws/aws-sdk-js-v3 (@​aws-sdk/client-sqs)</summary> ### [`v3.525.0`](https://togithub.com/aws/aws-sdk-js-v3/blob/HEAD/clients/client-sqs/CHANGELOG.md#35250-2024-02-29) [Compare Source](https://togithub.com/aws/aws-sdk-js-v3/compare/v3.523.0...v3.525.0) **Note:** Version bump only for package [@​aws-sdk/client-sqs](https://togithub.com/aws-sdk/client-sqs) ### [`v3.523.0`](https://togithub.com/aws/aws-sdk-js-v3/blob/HEAD/clients/client-sqs/CHANGELOG.md#35230-2024-02-27) [Compare Source](https://togithub.com/aws/aws-sdk-js-v3/compare/v3.521.0...v3.523.0) **Note:** Version bump only for package [@​aws-sdk/client-sqs](https://togithub.com/aws-sdk/client-sqs) </details> <details> <summary>aws/aws-sdk-js-v3 (@​aws-sdk/lib-dynamodb)</summary> ### [`v3.525.0`](https://togithub.com/aws/aws-sdk-js-v3/blob/HEAD/lib/lib-dynamodb/CHANGELOG.md#35250-2024-02-29) [Compare Source](https://togithub.com/aws/aws-sdk-js-v3/compare/v3.523.0...v3.525.0) **Note:** Version bump only for package [@​aws-sdk/lib-dynamodb](https://togithub.com/aws-sdk/lib-dynamodb) ### [`v3.523.0`](https://togithub.com/aws/aws-sdk-js-v3/blob/HEAD/lib/lib-dynamodb/CHANGELOG.md#35230-2024-02-27) [Compare Source](https://togithub.com/aws/aws-sdk-js-v3/compare/v3.521.0...v3.523.0) ##### Bug Fixes - **lib-dynamodb:** preserve collections when serializing class instances to map ([#​5826](https://togithub.com/aws/aws-sdk-js-v3/issues/5826)) ([e1ba507](https://togithub.com/aws/aws-sdk-js-v3/commit/e1ba507fc84d5ae526fe0ee0a26ea4f039b63d03)) </details> <details> <summary>semantic-release/npm (@​semantic-release/npm)</summary> ### [`v11.0.3`](https://togithub.com/semantic-release/npm/releases/tag/v11.0.3) [Compare Source](https://togithub.com/semantic-release/npm/compare/v11.0.2...v11.0.3) ##### Bug Fixes - **deps:** raised the minimum accepted range of npm to v10.5.0 ([#​759](https://togithub.com/semantic-release/npm/issues/759)) ([a0313f8](https://togithub.com/semantic-release/npm/commit/a0313f82060ec344d77443a9b1b28e87178dcf78)), closes [semantic-release/semantic-release#3202](https://togithub.com/semantic-release/semantic-release/issues/3202) </details> <details> <summary>typescript-eslint/typescript-eslint (@​typescript-eslint/eslint-plugin)</summary> ### [`v7.1.0`](https://togithub.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/eslint-plugin/CHANGELOG.md#710-2024-02-26) [Compare Source](https://togithub.com/typescript-eslint/typescript-eslint/compare/v7.0.2...v7.1.0) ##### 🚀 Features - **eslint-plugin:** add \*-type-checked-only configs - **eslint-plugin:** \[naming-convention] support the auto-accessor syntax - **eslint-plugin:** \[consistent-return] add new rule ##### 🩹 Fixes - **eslint-plugin:** \[prefer-optional-chan] allow typeof for avoiding reference error - **eslint-plugin:** \[no-misused-promises] improve check union types - **eslint-plugin:** \[no-use-before-define] fix false positive type reference in as, satisfies ##### ❤️ Thank You - Arka Pratim Chaudhuri - Josh Goldberg ✨ - YeonJuan You can read about our [versioning strategy](https://main--typescript-eslint.netlify.app/users/versioning) and [releases](https://main--typescript-eslint.netlify.app/users/releases) on our website. </details> <details> <summary>typescript-eslint/typescript-eslint (@​typescript-eslint/parser)</summary> ### [`v7.1.0`](https://togithub.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/parser/CHANGELOG.md#710-2024-02-26) [Compare Source](https://togithub.com/typescript-eslint/typescript-eslint/compare/v7.0.2...v7.1.0) This was a version bump only for parser to align it with other projects, there were no code changes. You can read about our [versioning strategy](https://main--typescript-eslint.netlify.app/users/versioning) and [releases](https://main--typescript-eslint.netlify.app/users/releases) on our website. </details> <details> <summary>nock/nock (nock)</summary> ### [`v13.5.4`](https://togithub.com/nock/nock/releases/tag/v13.5.4) [Compare Source](https://togithub.com/nock/nock/compare/v13.5.3...v13.5.4) ##### Bug Fixes - call `fs.createReadStream` lazily ([#​2357](https://togithub.com/nock/nock/issues/2357)) ([ba9fc42](https://togithub.com/nock/nock/commit/ba9fc424d5a17cbdde62745d4bdd8159331a1b8d)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 2pm on Saturday" in timezone Europe/Zurich, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/adobe/spacecat-shared). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMjAuMiIsInVwZGF0ZWRJblZlciI6IjM3LjIyMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Kit-p
added a commit
to Kit-p/json-kit
that referenced
this issue
Apr 3, 2024
](https://renovatebot.com){kind=link}
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [@semantic-release/npm](https://togithub.com/semantic-release/npm) | [`11.0.2` -> `11.0.3`](https://renovatebot.com/diffs/npm/@semantic-release%2fnpm/11.0.2/11.0.3) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>semantic-release/npm (@​semantic-release/npm)</summary> ### [`v11.0.3`](https://togithub.com/semantic-release/npm/releases/tag/v11.0.3) [Compare Source](https://togithub.com/semantic-release/npm/compare/v11.0.2...v11.0.3) ##### Bug Fixes - **deps:** raised the minimum accepted range of npm to v10.5.0 ([#​759](https://togithub.com/semantic-release/npm/issues/759)) ([a0313f8](https://togithub.com/semantic-release/npm/commit/a0313f82060ec344d77443a9b1b28e87178dcf78)), closes [semantic-release/semantic-release#3202](https://togithub.com/semantic-release/semantic-release/issues/3202) even though our existing range allowed anyone to update as soon as the new npm version was available, this will encourage being on a version that does not report the ip vulnerability a bit more forcefully </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/Kit-p/json-kit). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Last week, CVE 2023 42282 was reported for versions up to 2.0.0 of the NPM package
ip. As this package, along with its parent dependencies, is bundled withnpm, we are unable to directly update them within our project. Despite attempting to upgrade to the latestsemantic-releaseversion 23.0.2 andnpmversion 10.4.0, the project still references the vulnerable version of theippackage.Moreover,
iphas just recently released version 2.0.1 containing the necessary fix for the vulnerability. So, are there are any plans to release a patched version ofsemantic-releaseto align with the latest secure version of theippackage ?The text was updated successfully, but these errors were encountered: