ip package vulnerabilities introduced through proxy-agent and socks-proxy-agent

[ckotyan]

Hi, I am upgrading to latest version of pubnub sdk (8.10.0), but the npm audit still runs into issues for ip package vulnerabilities. The ip package is a dependency of proxy-agent and socks-proxy-agent.
Could you please update those libraries into "proxy-agent": "^6.5.0", "socks-proxy-agent": "^8.0.5" and release a patch?
npm-overrides works as long as you have control of the package.json file but if your code is a library which is used by another top level module overrides do not work.

Thanks
CK

[parfeon]

Hello.

Is it possible to share any reports? None of vulnerably scan features see issue with it (GitHub Dependabot doesn't report anything)?

[ckotyan]

When I deleted node-modules and package-lock.json and reinstall the packages, the patched proxy-agent and sock-proxy-agent are being brought in by npm. In my case it was fine, but not everybody can delete those 2 to re-install all the packages.

[valeriobelli]

Hello all 👋🏽
If you use yarn, you can selectively upgrade transitive dependencies using yarn up -R (e.g., yarn up -R proxy-agent).

[parfeon]

@ckotyan but our package doesn't ship with node_modules when called npm install.

Also, according to the docs npm install will ignore package-lock.json if it is published with package:

The difference is that package-lock.json cannot be published, and it will be ignored if found in any place other than the root project.

So it is developer's responsibility to clean up or upgrade dependencies which he install for his project.

[ckotyan]

@parfeon people using pubnub sdk will have their own project and they will have to do what I did if they are using npm. My point was when the vulnerability is reported the top level library using the vulnerable package was found to be pubnub (of course not directly but indirectly). Hence my request to pubnub to upversion the libraries causing the report does not seem unreasonable. I understand there is away to fix it but it would be nice for pubnub to take action on that too.

[parfeon]

@ckotyan I was saying, that it is up to the NPM to pull out proper dependencies, when pubnub dependency installed in your project. Remove of package-lock.json and node_modules at root level will let npm install pull out latest intermediate packages.
If we update it in out package.json it will be only fixed, when you will update pubnub version in the project's package.json and npm install will just remove node_modules/pubnub and fetch dependencies for pubnub package only (instead of puling all dependencies for a project).

We make fixes only when receive vulnerability reports and it there were no reports on this library in current PubNub version.