Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Derived security vulnerability from ip package through puppeteer dependency #1542

Open
AloisSeckar opened this issue Feb 11, 2024 · 2 comments
Open

Derived security vulnerability from ip package through puppeteer dependency #1542

AloisSeckar opened this issue Feb 11, 2024 · 2 comments

Comments

@AloisSeckar
Copy link

Just noticed Dependabot's security alert in my project regarding SSRF vulnerability of ip 1.1.8. The dependency is being imported through puppeteer.

They already have issue in there, so I guess they will mitigate it sooner or later, although it looks the ip is currently not being developed. But once it is done, a new version of backstopjs will be required, so I am opening this to get attention.

Currently it is possible to shift back to version 6.2.2 which depends on older (and also unmaintained) version of pupetteer, but this is obviously not the ideal solution.
@dgrebb
Copy link
Contributor

dgrebb commented Feb 13, 2024

This can be manually fixed in package.json by overriding proxy-agent for now. When puppeteer does so in their dependencies, it will organically find its way into backstop.

For example:

  "pnpm": {
    "overrides": {
      "proxy-agent@<6.4.0": "^6.4.0"
    }
  }

Various audit utilities should pick up on the patch as well.

See overrides.

@AloisSeckar
Copy link
Author

Thank you for quick solution

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dgrebb @AloisSeckar