这是indexloc提供的服务,不要输入任何密码
Skip to content

Security vulnerability of turbo gen #8483

New issue
New issue
Closed
#10278
Closed
Security vulnerability of turbo gen#8483
#10278
Labels
kind: bugSomething isn't workingneeds: triageNew issues get this label. Remove it after triage
@ghdtjgus76

Description

@ghdtjgus76
ghdtjgus76
opened on Jun 14, 2024

Verify canary release

  • I verified that the issue exists in the latest Turborepo canary release.

Link to code that reproduces this issue

.

What package manager are you using / does the bug impact?

pnpm

What operating system are you using?

Mac

Which canary version will you have in your reproduction?

turbo@2.0.4-canary.4

Describe the Bug

turbo/gen relies on proxy-agent, which in turn depends on pac-proxy-agent and socks-proxy-agent.
pac-proxy-agent uses pac-resolver and socks-proxy-agent.
socks-proxy-agent depends on the socks package, and both pac-resolver and socks depend on the ip package.
As indicated in the reference below, using the ip package can lead to security issues, which will be flagged as vulnerabilities in the repository's security tab.

GHSA-78xj-cgh5-2h22
indutny/node-ip#150

Expected Behavior

It seems that the ip package is currently not actively maintained.
To address such issues, it might be beneficial to consider modifying the package.

To Reproduce

.

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind: bugSomething isn't workingneeds: triageNew issues get this label. Remove it after triage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions