Server-Side-Request Forgery vulnerability introduced in npm 10.4 [BUG] <title>
Problem
Is there an existing issue for this? - [X] I have searched the existing issues This issue exists in the latest npm version - [X] I am using the latest npm Current Behavior Expected Behavior no SNYK detected security vulnerabilities Steps To Reproduce 1. In this environment... 2. With this config... 3. Run '...' 4. See error... Nothing to reproduce, this is a security vulnerability. Environment - npm: 10.4 - Node.js: 20.9.0 - OS Name: Windows 10 - System Model Name: Dell Evo - npm config: [code block]
Unverified for your environment
Select your OS to check compatibility.
1 Fix
Solution: Server-Side-Request Forgery vulnerability introduced in npm 10.4 [BUG] <title>
adding the CVE here so it can show up in search: CVE-2023-42282 --- https://github.com/advisories/GHSA-78xj-cgh5-2h22 it may be a false positive for `npm` itself, but I expect we won't hear the end of this till the lib is patched or replaced. edit: `socks` has replaced it with `ip-address`, so bumping `socks` will resolve
Trust Score
4 verifications
- 1
adding the CVE here so it can show up in search: CVE-2023-42282 --- https://gith
adding the CVE here so it can show up in search: CVE-2023-42282 --- https://github.com/advisories/GHSA-78xj-cgh5-2h22
- 2
it may be a false positive for `npm` itself, but I expect we won't hear the end
it may be a false positive for `npm` itself, but I expect we won't hear the end of this till the lib is patched or replaced.
- 3
edit: `socks` has replaced it with `ip-address`, so bumping `socks` will resolve
edit: `socks` has replaced it with `ip-address`, so bumping `socks` will resolve
Validation
Resolved in npm/cli GitHub issue #7216. Community reactions: 6 upvotes.
Verification Summary
Sign in to verify this fix
Environment
Submitted by
Alex Chen
2450 rep