Skip to content

deps: resolve ip-address GHSA-v2v4-37r5-5v8g via scoped overrides#3695

Merged
tlowrimore-heroku merged 2 commits into
mainfrom
3pp/ip-address-upgrade
May 8, 2026
Merged

deps: resolve ip-address GHSA-v2v4-37r5-5v8g via scoped overrides#3695
tlowrimore-heroku merged 2 commits into
mainfrom
3pp/ip-address-upgrade

Conversation

@tlowrimore-heroku
Copy link
Copy Markdown
Contributor

@tlowrimore-heroku tlowrimore-heroku commented May 8, 2026

Summary

Adds two scoped npm overrides — socks: ^2.8.8 and express-rate-limit: ^8.5.1 — to pull patched ip-address (≥ 10.1.1) into every chain that's API-compatible with v10. The remaining ip-address@5.9.4 install under @heroku/socksv5@0.0.9 is intentionally retained because socksv5 calls the v5 API (addr.valid, addr.parsedAddress) and is not compatible with ip-address v10.

After this change, npm ls ip-address --all:

├─┬ @heroku/mcp-server → @modelcontextprotocol/sdk → express-rate-limit@8.5.1 (overridden)
│   └── ip-address@10.2.0                                                       (PATCHED)
├── @heroku/socksv5@0.0.9
│   └── ip-address@5.9.4                                                        (retained — see below)
├── @oclif/plugin-plugins → npm@10.9.6 (bundled) → socks@2.8.7 → ip-address@10.1.0
│                                                                                (bundled-npm chain — fixed by #3694)
└── @oclif/plugin-update → proxy-agent → socks@2.8.8 (overridden)
    └── ip-address@10.2.0                                                       (PATCHED)

Advisory closed

Why scoped overrides instead of a top-level ip-address pin

A top-level "ip-address": "^10.1.1" override would also rewrite the version inside @heroku/socksv5@0.0.9. socksv5 calls new Address6(str) and reads addr.valid / addr.parsedAddress. In ip-address v10 the constructor throws on invalid input rather than setting addr.valid, and the valid instance property no longer exists. Forcing v10 here would break SOCKS5 IPv6 parsing. Pinning the parents (socks, express-rate-limit) avoids this and keeps socksv5's v5 install intact.

Note on residual ip-address@5.9.4 exposure

The advisory's vulnerable surfaces are HTML-emitting methods (Address6.group(), Address6.link(), v6.helpers.spanAll(), AddressError.parseMessage) that produce HTML for browser rendering. The Heroku CLI is a Node.js command-line tool with no DOM, no HTML sink, and no innerHTML path. The advisory itself notes "real-world exposure is believed to be extremely limited — analysis of all 425 dependent npm packages and GitHub code search found zero consumers of group(), link(), or spanAll()." @heroku/socksv5 only consumes parsedAddress and never invokes any of the vulnerable methods, so the remaining 5.9.4 install has no realistic exploit path.

Interaction with #3694

The bundled npm@10.9.6 chain inside @oclif/plugin-plugins@5.4.58 reaches socks@2.8.7 → ip-address@10.1.0 via npm's vendored bundle, which doesn't honor the parent project's overrides. PR #3694 (bumping @oclif/plugin-plugins to ^5.4.64) replaces that with npm@11.x, which has a refreshed bundle. Either PR independently leaves the alert closeable; together they close it cleanly.

Test plan

  • npm install clean
  • npm ls ip-address --all shows patched 10.x via socks and express-rate-limit overrides
  • npm run build succeeds
  • npm run lint succeeds (0 errors)
  • npm test passes (1955 passing)
  • Manual smoke test of any SOCKS5 proxy code path that exercises @heroku/socksv5 (regression check that retaining ip-address@5.9.4 there is fine)

@tlowrimore-heroku
deps: add socks and express-rate-limit overrides for ip-address
3561d9d 
Adds scoped npm overrides pinning the intermediate parents of
ip-address — socks ^2.8.8 and express-rate-limit ^8.5.1 — both of
which depend on patched ip-address (^10.1.1 / ^10.2.0). Pinning
the parents (rather than ip-address directly) leaves
@heroku/socksv5@0.0.9 on its existing ip-address@5.x; socksv5
calls the v5 API (addr.valid, addr.parsedAddress) and is not
back-compatible with ip-address v10.

The advisory's vulnerable surfaces (Address6.group/.link/spanAll/
parseMessage) are HTML-emitting methods. The Heroku CLI has no
DOM/HTML sink, and socksv5 only consumes parsedAddress, so the
remaining ip-address@5.9.4 install has no exploit path.

- Resolves ip-address XSS in Address6 HTML methods (GHSA-v2v4-37r5-5v8g, MEDIUM)

Closes Dependabot alerts: #309
@tlowrimore-heroku tlowrimore-heroku marked this pull request as ready for review May 8, 2026 15:51
@tlowrimore-heroku tlowrimore-heroku requested a review from a team as a code owner May 8, 2026 15:51
jdodson
jdodson approved these changes May 8, 2026
View reviewed changes
Copy link
Copy Markdown

@jdodson jdodson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved.

@tlowrimore-heroku tlowrimore-heroku merged commit 6bb47ec into main May 8, 2026
17 checks passed
@tlowrimore-heroku tlowrimore-heroku deleted the 3pp/ip-address-upgrade branch May 8, 2026 17:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jdodson jdodson jdodson approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tlowrimore-heroku @jdodson