[Snyk] Security upgrade socks-proxy-agent from 4.0.2 to 5.0.0#14
[Snyk] Security upgrade socks-proxy-agent from 4.0.2 to 5.0.0#14dmitriz wants to merge 1 commit into
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-IP-12704893 - https://snyk.io/vuln/SNYK-JS-IP-12761655
|
Important Review skippedIgnore keyword(s) in the title. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the ✨ Finishing touches🧪 Generate unit tests
Tip 👮 Agentic pre-merge checks are now available in preview!Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.
Please see the documentation for more information. Example: reviews:
pre_merge_checks:
custom_checks:
- name: "Undocumented Breaking Changes"
mode: "warning"
instructions: |
Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).Please share your feedback with us on this Discord post. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary of ChangesHello @dmitriz, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request is an automated security update initiated by Snyk to enhance the project's security posture. It specifically targets and resolves two critical Server-side Request Forgery (SSRF) vulnerabilities by updating the Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
There was a problem hiding this comment.
Code Review
This PR addresses two high-severity SSRF vulnerabilities by upgrading socks-proxy-agent from version 4.x to 5.0.0. This is a crucial security fix. However, this is a major version upgrade that introduces breaking changes. As detailed in my comment, the way SocksProxyAgent is instantiated in the code is incompatible with version 5, which will likely break functionality for users relying on a SOCKS proxy. This dependency upgrade should be coupled with code changes to adapt to the new version's API.
| "https-proxy-agent": "^2.2.1", | ||
| "request": "^2.85.0", | ||
| "socks-proxy-agent": "^4.0.1", | ||
| "socks-proxy-agent": "^5.0.0", |
There was a problem hiding this comment.
Upgrading socks-proxy-agent to a new major version (5.0.0) is important for security, but it introduces breaking changes that will likely break SOCKS proxy functionality in this library.
The constructor for SocksProxyAgent has changed in v5. It now expects the proxy URI as a string, e.g., new SocksProxyAgent('socks://...').
The current implementation in node-binance-api.js (lines 391-395 and 442-446) uses an older constructor pattern with an options object, which is no longer the primary supported method and may be broken.
To fix this, the instantiation of SocksProxyAgent in node-binance-api.js needs to be updated. For example:
// In node-binance-api.js
// ...
if (socksproxy !== false) {
socksproxy = proxyReplacewithIp(socksproxy);
if (Binance.options.verbose) Binance.options.log('using socks proxy server ' + socksproxy);
let agent = new SocksProxyAgent(socksproxy); // Pass the URI string directly
ws = new WebSocket(stream + endpoint, { agent: agent });
// ...Since node-binance-api.js is not part of this PR's changes, this dependency upgrade should be accompanied by another PR that applies the necessary code changes to maintain compatibility. Without these changes, this upgrade will likely lead to runtime errors for users of SOCKS proxies.
There was a problem hiding this comment.
Auto Pull Request Review from LlamaPReview
Review Status: Automated Review Skipped
Dear contributor,
Thank you for your Pull Request. LlamaPReview has analyzed your changes and determined that this PR does not require an automated code review.
Analysis Result:
PR contains only a dependency version bump for security vulnerabilities, with no substantive code changes or logic modifications. The change is limited to updating the 'socks-proxy-agent' version in package.json, which is a routine security update.
We're continuously improving our PR analysis capabilities. Have thoughts on when and how LlamaPReview should perform automated reviews? Share your insights in our GitHub Discussions.
Best regards,
LlamaPReview Team
Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-IP-12704893
SNYK-JS-IP-12761655
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Server-side Request Forgery (SSRF)