Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): bump pack-resolver version MONGOSH-1791 #2012

Merged
merged 1 commit into from
Jun 3, 2024
Merged

fix(deps): bump pack-resolver version MONGOSH-1791 #2012

merged 1 commit into from
Jun 3, 2024

Conversation

paula-stacho
Copy link
Contributor

@paula-stacho paula-stacho commented Jun 3, 2024
edited
Loading

https://jira.mongodb.org/browse/MONGOSH-1791

From the vulnerability description:
"An attacker can manipulate a system that uses isLoopback(), isPrivate() and isPublic functions to guard outgoing network requests to treat certain IP addresses as globally routable by supplying specially crafted IP addresses."

There is no fix for ip, but pac-resolver has a patch that removes the dependency on ip (implements it's own isLoopback method). Unfortunately this fix hasn't bubbled up our dependency tree yet, which is why I'm proposing an override for the sub dependency. I'm not too happy about overrides, because they tend to be forgotten later - so I'm curious if we have a process for dealing with such situations

@addaleax
Copy link
Contributor

addaleax commented Jun 3, 2024

Unfortunately this fix hasn't bubbled up our dependency tree yet, which is why I'm proposing an override for the sub dependency. I'm not too happy about overrides, because they tend to be forgotten later - so I'm curious if we have a process for dealing with such situations

Is there anything speaking against updating pac-resolver directly instead of using overrides? e.g.

npm i pac-resolver@7.0.1 && git checkout -- package.json && npm i

on a clean checkout of main seems to do the trick for me.

@paula-stacho
Copy link
Contributor Author

Unfortunately this fix hasn't bubbled up our dependency tree yet, which is why I'm proposing an override for the sub dependency. I'm not too happy about overrides, because they tend to be forgotten later - so I'm curious if we have a process for dealing with such situations

Is there anything speaking against updating pac-resolver directly instead of using overrides? e.g.

npm i pac-resolver@7.0.1 && git checkout -- package.json && npm i

on a clean checkout of main seems to do the trick for me.

ah, yes 🤦 I don't know why it didn't occur to me to try that :D

@paula-stacho paula-stacho changed the title fix(cli-repl,browser-repl): override pack-resolver version MONGOSH-1791 fix(cli-repl,browser-repl): bump pack-resolver version MONGOSH-1791 Jun 3, 2024
addaleax
addaleax approved these changes Jun 3, 2024
View reviewed changes
Copy link
Contributor

@addaleax addaleax left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@addaleax addaleax changed the title fix(cli-repl,browser-repl): bump pack-resolver version MONGOSH-1791 fix(deps): bump pack-resolver version MONGOSH-1791 Jun 3, 2024
@addaleax addaleax merged commit 673b1bc into main Jun 3, 2024
60 of 65 checks passed
@addaleax addaleax deleted the MONGOSH-1791 branch June 3, 2024 13:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@addaleax addaleax addaleax approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@paula-stacho @addaleax