Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nodejs using vulnerable package for ip #51848

Closed
rovindra opened this issue Feb 23, 2024 · 8 comments · Fixed by #51913
Closed

Nodejs using vulnerable package for ip #51848

rovindra opened this issue Feb 23, 2024 · 8 comments · Fixed by #51913
Labels
npm Issues and PRs related to the npm client dependency or the npm registry.

Comments

@rovindra
Copy link

Version

v21.6.2

Platform

Linux 3aa06663b056 6.6.12-linuxkit #1 SMP PREEMPT_DYNAMIC Tue Jan 30 09:48:40 UTC 2024 x86_64 Linux

Subsystem

ip

What steps will reproduce the bug?

Build container image with node version v21.6.2 and scan it using any image scanning tool available.
It will report the medium severity vulnerability in ip package which is bundled as deps for nodejs here: https://github.com/nodejs/node/blob/main/deps/npm/node_modules/ip/package.json
You can also find the more information about this vulnerability here: GHSA-78xj-cgh5-2h22

How often does it reproduce? Is there a required condition?

No response

What is the expected behavior? Why is that the expected behavior?

You should change the ip package version to 2.0.1.

What do you see instead?

Medium Severity Vulnerability

Additional information

No response

@VoltrexKeyva VoltrexKeyva added the npm Issues and PRs related to the npm client dependency or the npm registry. label Feb 23, 2024
@VoltrexKeyva
Copy link
Member

If you use npm ls -g ip you can pinpoint exactly what depends on it, in this case npm depends on make-fetch-happen which in turn depends on @npmcli/agent which depends on socks-proxy-agent. socks-proxy-agent depends on socks but socks removed the ip package in JoshGlazebrook/socks@66b7f73, so to fix this the socks version must be bumped here in socks-proxy-agent and release an update, then @npmcli/agent must update to the new version of socks-proxy-agent and release an update, and then make-fetch-happen must update to the new version of @npmcli/agent and release an update, and finally npm must update to the new version of make-fetch-happen... 😅

@rovindra
Copy link
Author

Yes agree with you its a very long chain. Lets see what we can do as it should be fixed.

@joyeecheung
Copy link
Member

joyeecheung commented Feb 26, 2024

Or, it seems npm CLI is only using make-fetch-happen here: https://github.com/npm/cli/blob/95b505738a73ba740227a41b8c7c87013af5acaf/lib/commands/doctor.js#L197 which can be replaced with the global fetch since Node.js v18...

@mhdawson
Copy link
Member

Discussion on this issue in npm repo - npm/cli#7216

@mhdawson
Copy link
Member

mhdawson commented Feb 26, 2024

I think we should move this to https://github.com/nodejs/nodejs-dependency-vuln-assessments. Any concerns with moving it there?

@sidewaiise
Copy link

This is causing some issues with our security scanner. We might need to delete the dependency as part of the build process until it's fixed in the base images.

using base image node:18-alpine

@richardlau richardlau linked a pull request Feb 28, 2024 that will close this issue
@michaelact
Copy link

This is causing some issues with our security scanner. We might need to delete the dependency as part of the build process until it's fixed in the base images.

using base image node:18-alpine

How did you manage to remove it?

@kl4072
Copy link

kl4072 commented Mar 15, 2024

when do we have a fix on Node version 20 ? ip is still referencing 2.0.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
npm Issues and PRs related to the npm client dependency or the npm registry.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants