[Snyk] Fix for 1 vulnerabilities

[adamlaska]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • examples/custom-libp2p/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	823/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 8.6	Server-side Request Forgery (SSRF) SNYK-JS-IP-6240864	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: libp2p

The new version differs by 250 commits.

• d6bb967 chore: release version v0.32.0
• d48005b chore: update contributors
• 67b97e3 chore: add migration guide to 0.32 (#957)
• 664ba2d chore: release version v0.32.0-rc.0
• 608564b chore: update contributors
• af723b3 fix: do not allow dial to large number of multiaddrs (#954)
• 13cf476 chore: update to new multiformats (#948)
• 39b0358 chore: use libp2p-tcp with types (#952)
• f7183e8 chore: release version v0.31.7
• b9988ad chore: update contributors
• b291bc0 fix: dialer leaking resources after stopping (#947)
• 755eb90 chore: update gossipsub dep for example
• afe0f85 chore: use node 16
• 50f7f32 chore: update branch
• 052aad4 chore: use node 15 in ci
• 2c4b567 chore: restructure pubsub tests
• 2a6a635 chore: remove ipfs-utils dep (#953)
• cd152f1 chore: add secure websockets example (#930)
• 2959794 chore: add more details on DHT configuration in CONFIGURATION.md (#951)
• 2068c84 chore: configuration format fix
• d8ba284 fix: chat example with new multiaddr (#946)
• 869d35d chore: release version v0.31.6
• d6540bf chore: update contributors
• 478963a feat: keychain rotate passphrase (#944)

See the full diff

Package name: libp2p-kad-dht

The new version differs by 150 commits.

• 42eb5eb chore: release version v0.19.0
• 0ed345a chore: update contributors
• 568c19c chore: use new content and peer routing apis ([Snyk] Security upgrade electron from 2.0.18 to 22.3.5 #181)
• 129566f chore: update interface links ([Snyk] Security upgrade electron from 2.0.18 to 21.4.4 #182)
• a00b470 chore: release version v0.19.0-pre.0
• 12d0872 chore: use libp2p 0.28.x branch
• f0fb212 chore: peer-discovery not using peer-info ([Snyk] Security upgrade aegir from 14.0.0 to 20.0.0 #180)
• b9e45ff chore: release version v0.19.0-pre.0
• 67a2db7 chore: update contributors
• 194c701 chore: use new peer store api ([Snyk] Security upgrade aegir from 14.0.0 to 36.2.3 #179)
• 6456cc8 chore: release version v0.18.6
• 8d31075 chore: update contributors
• fe3b218 chore(deps): bump cids from 0.7.5 to 0.8.0 ([Snyk] Security upgrade electron from 2.0.18 to 20.3.9 #178)
• 7b8d115 chore(deps): bump p-map from 3.0.0 to 4.0.0 ([Snyk] Security upgrade electron from 2.0.18 to 20.3.10 #177)
• 764ba63 chore(deps-dev): bump sinon from 8.1.1 to 9.0.0 ([Snyk] Security upgrade webpack-dev-server from 2.11.5 to 3.1.10 #176)
• 5ee91d7 chore(deps-dev): bump aegir from 20.6.1 to 21.0.2 ([Snyk] Security upgrade webpack from 4.46.0 to 5.0.0 #175)
• 698fc51 chore: release version v0.18.5
• 636d4c2 chore: update contributors
• de85eb6 fix: remove use of assert module ([Snyk] Security upgrade libp2p-spdy from 0.12.1 to 0.13.0 #173)
• 7b99370 chore: release version v0.18.4
• c5721d0 chore: update contributors
• 3731a2e chore(deps): bump libp2p-interfaces from 0.1.7 to 0.2.3 ([Snyk] Security upgrade aegir from 14.0.0 to 31.0.0 #171)
• 49f8e46 chore(deps-dev): bump datastore-level from 0.12.1 to 0.14.1 ([Snyk] Fix for 1 vulnerabilities #169)
• 6b7dcbf chore(deps-dev): bump sinon from 7.5.0 to 8.1.1 ([Snyk] Security upgrade electron from 2.0.18 to 19.1.5 #168)

See the full diff

Package name: libp2p-mdns

The new version differs by 35 commits.

• afca4bf chore: release version v0.17.0
• 3787bfa chore: update contributors
• 0b974bc chore: update deps ([Snyk] Security upgrade aegir from 14.0.0 to 21.9.0 #100)
• 0bb4d4a chore: release version v0.16.0
• 3285018 chore: update contributors
• b8c7bf3 chore: update deps ([Snyk] Security upgrade electron from 2.0.18 to 15.5.5 #98)
• ddcc10b chore: release version v0.15.0
• 061c3f0 chore: update contributors
• 3cf0e75 chore: upgrade deps ([Snyk] Security upgrade electron-rebuild from 1.11.0 to 3.0.0 #97)
• e1087a9 chore: release version v0.14.3
• 0ecc116 chore: update contributors
• 9fea1f6 fix: ensure event handlers are removed on MulticastDNS.stop ([Snyk] Fix for 1 vulnerabilities #96)
• 9186dbf chore: release version v0.14.2
• 183c065 chore: update contributors
• 9f45f73 fix: actually check tcp multiaddrs ([Snyk] Fix for 1 vulnerabilities #94)
• 60a0dbe chore: release version v0.14.1
• edec51d chore: update contributors
• 3dc9475 test(fix): wait for the right peer in 3+ tests ([Snyk] Fix for 1 vulnerabilities #92)
• cfe90c6 chore: use address manager ([Snyk] Security upgrade electron from 2.0.18 to 15.5.3 #91)
• 5b46aaa chore: release version v0.14.0
• bcf3e44 chore: update contributors
• fca175e chore: peer-discovery not using peer-info ([Snyk] Fix for 1 vulnerabilities #90)
• ecdda6e chore: release version v0.13.3
• 28c0ae1 chore: update contributors

See the full diff

Package name: libp2p-secio

The new version differs by 15 commits.

• b3a7040 chore: release version v0.12.1
• f1e79ce chore: update contributors
• b22152a chore: clean up published package ([Snyk] Security upgrade electron from 2.0.18 to 10.4.1 #110)
• aea41de chore: release version v0.12.0
• c081ea5 chore: update contributors
• 8ad4c15 refactor: use async await ([Snyk] Security upgrade electron from 2.0.18 to 15.5.6 #108)
• 774267f docs(fix): readme typo ([Snyk] Security upgrade ipfs from 0.30.0 to 0.34.0 #107)
• 1329e9c chore: add discourse badge ([Snyk] Fix for 1 vulnerabilities #105)
• 9b16472 chore: release version v0.11.1
• dac8520 chore: update contributors
• 581d80f chore: update deps
• f95a406 fix: reduce bundle size
• 80e3420 chore: release version v0.11.0
• 5d46976 chore: update contributors
• a6290f2 chore: update dependencies

See the full diff

Package name: libp2p-tcp

The new version differs by 60 commits.

• 9fcd053 chore: release version v0.17.0
• 162adc4 chore: update contributors
• b3e315a chore: update deps ([Snyk] Security upgrade libp2p-webrtc-star from 0.15.8 to 0.24.0 #147)
• 23e4fde chore: use node 16 in ci ([Snyk] Security upgrade ipfs from 0.30.0 to 0.51.0 #146)
• c9207e1 chore: release version v0.16.0
• 3780621 chore: update contributors
• 3249e02 feat: add types ([Snyk] Security upgrade electron from 2.0.18 to 18.3.14 #145)
• 4789cf1 chore: release version v0.15.4
• 48b8376 chore: update contributors
• 7dfdf10 chore: update deps ([Snyk] Security upgrade aegir from 14.0.0 to 37.2.0 #144)
• d39ad01 chore: update url interfaces (6 #143)
• 37406d1 chore: release version v0.15.3
• 2df4789 chore: update contributors
• 3813100 fix: hanging close promise ([Snyk] Fix for 5 vulnerabilities #140)
• 8661c09 chore: release version v0.15.2
• f9e3297 chore: update contributors
• af9804e fix: intermittent error when asking for interfaces ([Snyk] Security upgrade electron from 2.0.18 to 19.0.15 #137)
• e9e1f56 chore: release version v0.15.1
• dee839e chore: update contributors
• 8ff9f60 chore: update deps ([Snyk] Security upgrade ipfs from 0.30.0 to 0.64.0 #136)
• f17525a chore: update deps ([Snyk] Security upgrade electron from 2.0.18 to 15.5.3 #135)
• b524848 chore: release version v0.15.0
• 926a99c chore: update contributors
• d9f9912 chore: update deps ([Snyk] Security upgrade aegir from 14.0.0 to 37.5.2 #134)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Server-side Request Forgery (SSRF)

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[socket-security]

New dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/libp2p-kad-dht@0.19.9	Transitive: environment, eval, filesystem	+68	24.2 MB
npm/libp2p-mdns@0.17.0	Transitive: filesystem, network	+23	16.1 MB	vascosantos
npm/libp2p-secio@0.12.6	Transitive: environment, eval	+40	23.3 MB
npm/libp2p-tcp@0.17.2	network	+16	1.35 MB	vascosantos
npm/libp2p@0.32.5	Transitive: environment, filesystem, network, shell	+99	21 MB	vascosantos

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source
Install scripts	npm/protobufjs@6.11.4	Install script: postinstall Source: node scripts/postinstall	examples/custom-libp2p/package.json
HTTP dependency	npm/ipfs-utils@8.1.6	Dependency: node-fetch@https://registry.npmjs.org/@achingbrain/node-fetch/-/node-fetch-2.6.7.tgz Location: Package overview	examples/custom-libp2p/package.json

View full report↗︎

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

What are http dependencies?

Contains a dependency which resolves to a remote HTTP URL which could be used to inject untrusted code and reduce overall package reliability.

Publish the HTTP URL dependency to npm or a private package repository and consume it from there.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/protobufjs@6.11.4
• @SocketSecurity ignore npm/ipfs-utils@8.1.6