security vulnerability using [email protected]

[yonayarin]

• [] I have searched for similar issues
• [] I am using the latest version of npm-check-updates
• [] I am using node >= 14.14

---

Lately I started to get some security vulnerability from this package.

└─┬ [email protected]
└─┬ [email protected]
└─┬ [email protected]
└─┬ [email protected]
└── [email protected]

socks package in this version uses "ip" version "2.0.0" - full issue description nodejs/node#51848
Here is another report of this issue - npm/cli#7223

Will be happy if you can update versions accordingly to remove this issued dependency.

Steps to Reproduce

Steps:

Run CI with [email protected] installed

Current Behavior

Display security vulnerability.

Expected Behavior

[raineorshine]

Thanks for reporting. I added it to overrides since the patch has not yet trickled up the dependency chain.

It will be published in the next release, which is currently blocked by #1404.

[wilhen01]

Bumping this - version 12.0.0 and later of make-fetch-happen removes the socks-proxy-agent so should resolve this by getting rid of ip in the chain entirely.

[raineorshine]

Thanks. I don't think #1404 is going to happen, so I just need to do a major release with what we have now.

I'm traveling next week, but will make some time soon.

[raineorshine]

Published in v17.0.0.

Note that the override is still needed, because ip is still in the dependency tree:

[email protected] /Users/raine/projects/npm-check-updates
└─┬ [email protected]
  └─┬ [email protected]
    └─┬ @npmcli/[email protected]
      └─┬ [email protected]
        └─┬ [email protected]
          └── [email protected] overridden