fix: ip dependency has vulnerability

[nimirium]

ip dependency has a vulnerability: GHSA-2p57-rm9w-gvfp.
It is used by proxy-agent version 6.3.0.
Bump proxy-agent to 6.5.0 which doesn't use ip.

[parfeon]

Hello.

We've double checked dependency tree for proxy-agent and there is no dependency against ip package:

npx npm-remote-ls [email protected] | grep ip                                                                                                                                                                                                             25s 11:33:20
(node:2196) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
   │  ├─ @tootallnate/[email protected]
   │     └─ [email protected]
   │  │  │  │  ├─ [email protected]
   │  │  │  │     ├─ [email protected]
   │  │  │  │  ├─ [email protected]
   │  │  │  ├─ [email protected]
   │     ├─ [email protected]
   │     │  ├─ [email protected]
   │     │  │  └─ [email protected]
   │     │  ├─ @babel/[email protected]
   │     │  ├─ [email protected]
   │     │  │  ├─ [email protected]
   ├─ [email protected]

So we will close this PR without merge.

[nimirium]

Hi @parfeon, thanks for replying. I'm afraid printing the tree the way you did doesn't cover my case, since it's not a direct dependency.

[email protected] requires pac-proxy-agent@^7.0.0 (link)
[email protected] requires pac-resolver@^7.0.0 (link)
[email protected] requires ip@^1.1.8 (link)

[nimirium]

yarn why ip 
yarn why v1.22.22
[1/4] 🤔  Why do we have the module "ip"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] 🔍  Finding dependency...
[4/4] 🚡  Calculating file sizes...
=> Found "[email protected]"
info Reasons this module exists
   - "_project_#pubnub#proxy-agent#pac-proxy-agent#pac-resolver" depends on it
   - Hoisted from "_project_#pubnub#proxy-agent#pac-proxy-agent#pac-resolver#ip"

[parfeon]

@nimirium I've removed package-lock.json and reinstalled dependencies, after which package-lock.json contains these:

• proxy-agent (6.4.0)
• pac-proxy-agent (7.0.2)
• pac-resolver (7.0.1) (download) which doesn't require ip package at all. This is pac-resolver dependencies.

[nimirium]

So you're basically saying "it works on my machine" 😄

proxy-agent@^6.3.0 may install version 6.3.0 for some, and a higher version for others. If you allow proxy-agent v6.3.0, you allow a vulnerability. Please patch this.

Meanwhile I'm using a selective dependency resolution in my package.json (in case someone else needs this):

"resolutions": {
  "pubnub/proxy-agent": "^6.5.0",
},

[parfeon]

I just tried to use yarn within package repo, and it still follows semver rules which let it pull out proxy-agent which fits ^ requirement:

yarn why ip                                                                                                                                                                                                                                         1m 23s 22:30:53
yarn why v1.22.22
[1/4] 🤔  Why do we have the module "ip"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] 🔍  Finding dependency...
error We couldn't find a match!
✨  Done in 0.10s.