BackstopJS icon indicating copy to clipboard operation
BackstopJS copied to clipboard
verified publisher icon garris

Derived security vulnerability from `ip` package through `puppeteer` dependency

Open AloisSeckar opened this issue 1 year ago • 2 comments

Just noticed Dependabot's security alert in my project regarding SSRF vulnerability of ip 1.1.8. The dependency is being imported through puppeteer.

They already have issue in there, so I guess they will mitigate it sooner or later, although it looks the ip is currently not being developed. But once it is done, a new version of backstopjs will be required, so I am opening this to get attention.

Currently it is possible to shift back to version 6.2.2 which depends on older (and also unmaintained) version of pupetteer, but this is obviously not the ideal solution.

AloisSeckar avatar Feb 11 '24 22:02 AloisSeckar

This can be manually fixed in package.json by overriding proxy-agent for now. When puppeteer does so in their dependencies, it will organically find its way into backstop.

For example:

  "pnpm": {
    "overrides": {
      "proxy-agent@<6.4.0": "^6.4.0"
    }
  }

Various audit utilities should pick up on the patch as well.

See overrides.

dgrebb avatar Feb 13 '24 05:02 dgrebb

Thank you for quick solution

AloisSeckar avatar Feb 13 '24 20:02 AloisSeckar