[agent] chore(deps): bump ip-address to >=10.1.1 (GHSA-v2v4-37r5-5v8g / CVE-2026-42338)#741
Draft
github-actions[bot] wants to merge 1 commit intomainfrom
Draft
Conversation
- Add root overrides.ip-address: ^10.1.1 to force all transitive consumers (@mongodb-js/socksv5@0.0.10, socks@2.8.3) onto the patched release; @mongodb-js/socksv5 has no newer release that clears the advisory, so the override is the only viable lockfile fix - Bump packages/devtools-connect socks range from ^2.7.3 to ^2.8.8 so the workspace-local copy also uses the version that officially ships ip-address@^10.1.1 Fixes GHSA-v2v4-37r5-5v8g / CVE-2026-42338 (Dependabot alert #257) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves Dependabot alert #257 — GHSA-v2v4-37r5-5v8g / CVE-2026-42338: XSS in
ip-addressAddress6HTML-emitting methods (group(),link(),spanAll(),AddressError.parseMessage).Patched version:
ip-address@10.1.1+Changes
1. Root
package.json— addedoverridesWhy an override? Two transitive consumers existed:
socks@2.8.3(required bysocks-proxy-agent) — requiresip-address@^9.0.5; no newersocks-proxy-agentrelease bumps this range@mongodb-js/socksv5@0.0.10— requiresip-address@^9.0.5; only one published version exists, so a direct manifest bump indevtools-proxy-supportcannot clear the advisoryThe override forces all packages, including the stuck
@mongodb-js/socksv5, ontoip-address@10.2.0(the latest patched release).2.
packages/devtools-connect/package.jsonBumped
socksfrom^2.7.3→^2.8.8so the workspace-local copy uses the release that officially declaresip-address@^10.1.1as its dependency.Result
package-lock.jsonnow contains a singleip-addressentry at10.2.0— no nested vulnerable copies remain.