[Snyk] Fix for 1 vulnerabilities

[adamlaska]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	823/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 8.6	Server-side Request Forgery (SSRF) SNYK-JS-IP-6240864	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: ipfs-repo

The new version differs by 41 commits.

• 62cc749 chore: release version v0.27.0
• 8b79982 chore: update contributors
• e6db5cf feat: refactor/async await ([Snyk] Security upgrade electron from 2.0.18 to 23.2.3 #199)
• 25cecd7 chore: release version v0.26.6
• 3af3c57 chore: update contributors
• 9c7cb0b chore: update cids dependency ([Snyk] Security upgrade electron from 2.0.18 to 22.3.23 #198)
• e8f658f chore: release version v0.26.5
• 1b011c6 chore: update contributors
• 99b13c1 chore: update datastore-level ([Snyk] Security upgrade aegir from 14.0.0 to 31.0.0 #196)
• 4e5ae79 chore: release version v0.26.4
• 2f3124d chore: update contributors
• 0aa9d77 fix: reduce bundle size ([Snyk] Security upgrade ipfs from 0.30.0 to 0.64.0 #186)
• ca31174 chore: release version v0.26.3
• 354ea54 chore: update contributors
• 73d95cd fix: update lock file package to fix compromised lock check ([Snyk] Security upgrade aegir from 14.0.0 to 17.0.0 #193)
• c018653 chore: release version v0.26.2
• bc9c656 chore: update contributors
• a33c5f0 chore: fix npm dist files
• c845011 chore: release version v0.26.2-rc.0
• ff7f068 chore: update contributors
• 14051c4 chore: update deps
• 23f49f2 chore: move to travis ([Snyk] Security upgrade electron-rebuild from 1.11.0 to 3.2.4 #190)
• 01a4737 chore: release version v0.26.1
• 8131dc0 chore: update contributors

See the full diff

Package name: ipld

The new version differs by 182 commits.

• 47cf0ee chore: release version v0.30.2
• 06a3eb7 chore: update contributors
• b0cf7ee chore: release version v0.30.1
• c278004 chore: update contributors
• ea513b9 chore: add deprecation notice
• a53ebcf fix: race condition in `getFormat` ([Snyk] Security upgrade libp2p-webrtc-star from 0.15.8 to 0.24.0 #299)
• 021b419 chore: release version v0.30.0
• ee6ff19 chore: update contributors
• 60426a7 chore: update deps ([Snyk] Security upgrade ipfs from 0.30.0 to 0.66.1 #298)
• 619e4d7 chore: release version v0.29.0
• a844092 chore: update contributors
• 64fdc68 chore: adds types ([Snyk] Fix for 13 vulnerabilities #297)
• 548ec42 chore: release version v0.28.0
• 05ae995 chore: update contributors
• 574ce93 docs: fix README usage example
• 10c3777 chore: update deps
• 0200768 chore: release version v0.27.3
• bcf8882 chore: update contributors
• b412899 fix: use correct property when checking if resolver exists
• 1a115e7 chore: release version v0.27.2
• a17d6f1 chore: update contributors
• 78c8769 feat: expose getFormat function
• 5bdfe5c chore: release version v0.27.1
• da4ba15 chore: update contributors

See the full diff

Package name: libp2p

The new version differs by 250 commits.

• d6bb967 chore: release version v0.32.0
• d48005b chore: update contributors
• 67b97e3 chore: add migration guide to 0.32 (#957)
• 664ba2d chore: release version v0.32.0-rc.0
• 608564b chore: update contributors
• af723b3 fix: do not allow dial to large number of multiaddrs (#954)
• 13cf476 chore: update to new multiformats (#948)
• 39b0358 chore: use libp2p-tcp with types (#952)
• f7183e8 chore: release version v0.31.7
• b9988ad chore: update contributors
• b291bc0 fix: dialer leaking resources after stopping (#947)
• 755eb90 chore: update gossipsub dep for example
• afe0f85 chore: use node 16
• 50f7f32 chore: update branch
• 052aad4 chore: use node 15 in ci
• 2c4b567 chore: restructure pubsub tests
• 2a6a635 chore: remove ipfs-utils dep (#953)
• cd152f1 chore: add secure websockets example (#930)
• 2959794 chore: add more details on DHT configuration in CONFIGURATION.md (#951)
• 2068c84 chore: configuration format fix
• d8ba284 fix: chat example with new multiaddr (#946)
• 869d35d chore: release version v0.31.6
• d6540bf chore: update contributors
• 478963a feat: keychain rotate passphrase (#944)

See the full diff

Package name: libp2p-bootstrap

The new version differs by 46 commits.

• 216ff30 chore: release version v0.13.0
• 05e51b5 chore: update contributors
• 597144f chore: update deps ([Snyk] Security upgrade aegir from 14.0.0 to 17.0.0 #114)
• c4a0a4e chore: release version v0.12.3
• 8142313 chore: update contributors
• aeab2bf fix: build ([Snyk] Security upgrade electron from 2.0.18 to 11.4.9 #113)
• 46eb376 chore: update deps ([Snyk] Security upgrade electron from 2.0.18 to 10.4.4 #112)
• d72d6c9 chore: release version v0.12.2
• f02d280 chore: update contributors
• 9f8dd76 chore: remove tsc from tests
• 269b807 feat: add types and update deps ([Snyk] Security upgrade electron from 2.0.18 to 12.2.2 #111)
• adcc55a docs: update usage to reflect full libp2p config ([Snyk] Security upgrade electron from 2.0.18 to 10.4.1 #110)
• 5fcc746 chore: remove SoL-arnet boxen bootstrap nodes from test fixture ([Snyk] Security upgrade electron from 2.0.18 to 15.5.5 #98)
• 80d84fa chore: release version v0.12.1
• f8f95f7 chore: update contributors
• fb719ed chore: update deps ([Snyk] Security upgrade ipfs from 0.30.0 to 0.34.0 #107)
• 1d2ca16 chore: release version v0.12.0
• d38c837 chore: update contributors
• b59b7ad fix: replace node buffers with uint8arrays ([Snyk] Security upgrade ipfs-repo from 0.24.0 to 0.26.5 #106)
• d14bd1e chore(deps-dev): bump aegir from 21.10.2 to 22.0.0 ([Snyk] Security upgrade electron from 2.0.18 to 15.5.6 #104)
• 189e2a7 chore: release version v0.11.0
• 3f992d5 chore: update contributors
• 01ce4ec Merge pull request [Snyk] Security upgrade aegir from 14.0.0 to 36.2.3 #103 from libp2p/chore/peer-discovery-not-using-peer-info
• 3a9200e chore: use new libp2p-interfaces release

See the full diff

Package name: libp2p-kad-dht

The new version differs by 150 commits.

• 42eb5eb chore: release version v0.19.0
• 0ed345a chore: update contributors
• 568c19c chore: use new content and peer routing apis ([Snyk] Security upgrade electron from 2.0.18 to 22.3.5 #181)
• 129566f chore: update interface links ([Snyk] Security upgrade electron from 2.0.18 to 21.4.4 #182)
• a00b470 chore: release version v0.19.0-pre.0
• 12d0872 chore: use libp2p 0.28.x branch
• f0fb212 chore: peer-discovery not using peer-info ([Snyk] Security upgrade aegir from 14.0.0 to 20.0.0 #180)
• b9e45ff chore: release version v0.19.0-pre.0
• 67a2db7 chore: update contributors
• 194c701 chore: use new peer store api ([Snyk] Security upgrade aegir from 14.0.0 to 36.2.3 #179)
• 6456cc8 chore: release version v0.18.6
• 8d31075 chore: update contributors
• fe3b218 chore(deps): bump cids from 0.7.5 to 0.8.0 ([Snyk] Security upgrade electron from 2.0.18 to 20.3.9 #178)
• 7b8d115 chore(deps): bump p-map from 3.0.0 to 4.0.0 ([Snyk] Security upgrade electron from 2.0.18 to 20.3.10 #177)
• 764ba63 chore(deps-dev): bump sinon from 8.1.1 to 9.0.0 ([Snyk] Security upgrade webpack-dev-server from 2.11.5 to 3.1.10 #176)
• 5ee91d7 chore(deps-dev): bump aegir from 20.6.1 to 21.0.2 ([Snyk] Security upgrade webpack from 4.46.0 to 5.0.0 #175)
• 698fc51 chore: release version v0.18.5
• 636d4c2 chore: update contributors
• de85eb6 fix: remove use of assert module ([Snyk] Security upgrade libp2p-spdy from 0.12.1 to 0.13.0 #173)
• 7b99370 chore: release version v0.18.4
• c5721d0 chore: update contributors
• 3731a2e chore(deps): bump libp2p-interfaces from 0.1.7 to 0.2.3 ([Snyk] Security upgrade aegir from 14.0.0 to 31.0.0 #171)
• 49f8e46 chore(deps-dev): bump datastore-level from 0.12.1 to 0.14.1 ([Snyk] Fix for 1 vulnerabilities #169)
• 6b7dcbf chore(deps-dev): bump sinon from 7.5.0 to 8.1.1 ([Snyk] Security upgrade electron from 2.0.18 to 19.1.5 #168)

See the full diff

Package name: libp2p-mdns

The new version differs by 35 commits.

• afca4bf chore: release version v0.17.0
• 3787bfa chore: update contributors
• 0b974bc chore: update deps ([Snyk] Security upgrade aegir from 14.0.0 to 21.9.0 #100)
• 0bb4d4a chore: release version v0.16.0
• 3285018 chore: update contributors
• b8c7bf3 chore: update deps ([Snyk] Security upgrade electron from 2.0.18 to 15.5.5 #98)
• ddcc10b chore: release version v0.15.0
• 061c3f0 chore: update contributors
• 3cf0e75 chore: upgrade deps ([Snyk] Security upgrade electron-rebuild from 1.11.0 to 3.0.0 #97)
• e1087a9 chore: release version v0.14.3
• 0ecc116 chore: update contributors
• 9fea1f6 fix: ensure event handlers are removed on MulticastDNS.stop ([Snyk] Fix for 1 vulnerabilities #96)
• 9186dbf chore: release version v0.14.2
• 183c065 chore: update contributors
• 9f45f73 fix: actually check tcp multiaddrs ([Snyk] Fix for 1 vulnerabilities #94)
• 60a0dbe chore: release version v0.14.1
• edec51d chore: update contributors
• 3dc9475 test(fix): wait for the right peer in 3+ tests ([Snyk] Fix for 1 vulnerabilities #92)
• cfe90c6 chore: use address manager ([Snyk] Security upgrade electron from 2.0.18 to 15.5.3 #91)
• 5b46aaa chore: release version v0.14.0
• bcf3e44 chore: update contributors
• fca175e chore: peer-discovery not using peer-info ([Snyk] Fix for 1 vulnerabilities #90)
• ecdda6e chore: release version v0.13.3
• 28c0ae1 chore: update contributors

See the full diff

Package name: libp2p-secio

The new version differs by 15 commits.

• b3a7040 chore: release version v0.12.1
• f1e79ce chore: update contributors
• b22152a chore: clean up published package ([Snyk] Security upgrade electron from 2.0.18 to 10.4.1 #110)
• aea41de chore: release version v0.12.0
• c081ea5 chore: update contributors
• 8ad4c15 refactor: use async await ([Snyk] Security upgrade electron from 2.0.18 to 15.5.6 #108)
• 774267f docs(fix): readme typo ([Snyk] Security upgrade ipfs from 0.30.0 to 0.34.0 #107)
• 1329e9c chore: add discourse badge ([Snyk] Fix for 1 vulnerabilities #105)
• 9b16472 chore: release version v0.11.1
• dac8520 chore: update contributors
• 581d80f chore: update deps
• f95a406 fix: reduce bundle size
• 80e3420 chore: release version v0.11.0
• 5d46976 chore: update contributors
• a6290f2 chore: update dependencies

See the full diff

Package name: libp2p-tcp

The new version differs by 60 commits.

• 9fcd053 chore: release version v0.17.0
• 162adc4 chore: update contributors
• b3e315a chore: update deps ([Snyk] Security upgrade libp2p-webrtc-star from 0.15.8 to 0.24.0 #147)
• 23e4fde chore: use node 16 in ci ([Snyk] Security upgrade ipfs from 0.30.0 to 0.51.0 #146)
• c9207e1 chore: release version v0.16.0
• 3780621 chore: update contributors
• 3249e02 feat: add types ([Snyk] Security upgrade electron from 2.0.18 to 18.3.14 #145)
• 4789cf1 chore: release version v0.15.4
• 48b8376 chore: update contributors
• 7dfdf10 chore: update deps ([Snyk] Security upgrade aegir from 14.0.0 to 37.2.0 #144)
• d39ad01 chore: update url interfaces (6 #143)
• 37406d1 chore: release version v0.15.3
• 2df4789 chore: update contributors
• 3813100 fix: hanging close promise ([Snyk] Fix for 5 vulnerabilities #140)
• 8661c09 chore: release version v0.15.2
• f9e3297 chore: update contributors
• af9804e fix: intermittent error when asking for interfaces ([Snyk] Security upgrade electron from 2.0.18 to 19.0.15 #137)
• e9e1f56 chore: release version v0.15.1
• dee839e chore: update contributors
• 8ff9f60 chore: update deps ([Snyk] Security upgrade ipfs from 0.30.0 to 0.64.0 #136)
• f17525a chore: update deps ([Snyk] Security upgrade electron from 2.0.18 to 15.5.3 #135)
• b524848 chore: release version v0.15.0
• 926a99c chore: update contributors
• d9f9912 chore: update deps ([Snyk] Security upgrade aegir from 14.0.0 to 37.5.2 #134)

See the full diff

Package name: libp2p-webrtc-star

The new version differs by 150 commits.

• 590c5fc chore: release version v0.23.0
• e88d63d chore: update contributors
• e4360f2 chore: update deps (#365)
• c629cc1 chore: release version v0.22.4
• d01cd4a chore: update contributors
• 441a34e chore: update deps and use socket.io server v4 (#362)
• 4822c40 chore: release version v0.22.3
• a046a72 chore: update contributors
• 1076b5b chore: update ipfs-utils dep (#341)
• f61c4a1 chore: remove unecessary async fn in test (#336)
• 2eacc5f chore: release version v0.22.2
• 4ccf5be chore: update contributors
• 4c82721 chore: add err code for unknown signal server on dial (#335)
• c780457 chore: release version v0.22.1
• 68b206f chore: update contributors
• 5b7b142 feat: support multiple listeners (#330)
• 53cbde6 chore: release version v0.22.0
• 35ea046 chore: update contributors
• 44f4232 chore: update deps (#329)
• f644b08 chore: release version v0.21.2
• b8b3fd0 chore: update contributors
• 8ef0358 chore(deps): bump err-code from 2.0.3 to 3.0.1 ([Snyk] Security upgrade ipfs from 0.30.0 to 0.66.1 #302)
• aa9f08a chore: release version v0.21.1
• 1f080b2 chore: update contributors

See the full diff

Package name: libp2p-websockets

The new version differs by 63 commits.

• e9189bb chore: release version v0.16.0
• c4005b3 chore: update contributors
• 27f6c41 chore: update deps ([Snyk] Security upgrade aegir from 14.0.0 to 37.5.2 #134)
• db343b2 chore: use node 16 in ci ([Snyk] Security upgrade electron from 2.0.18 to 15.5.3 #133)
• 19e6f59 chore: release version v0.15.9
• 6e6a90c chore: update contributors
• 7bfdcb9 chore: update ipfs-utils dep ([Snyk] Fix for 72 vulnerabilities #132)
• 62a3276 chore: release version v0.15.8
• a996e16 chore: update contributors
• ee47570 fix: listener get addrs with wss ([Snyk] Security upgrade electron from 2.0.18 to 18.3.9 #130)
• 237fa15 chore: release version v0.15.7
• 488847e chore: update contributors
• 01ad18e chore: update ipfs-utils dep ([Snyk] Security upgrade electron from 2.0.18 to 17.4.9 #128)
• e929104 chore: release version v0.15.6
• 47c234d chore: update contributors
• 76a4809 chore: update multiaddr to uri ([Snyk] Fix for 5 vulnerabilities #125)
• 90f13e9 chore: release version v0.15.5
• c7522a3 chore: update contributors
• 67a95cb chore: update deps ([Snyk] Fix for 1 vulnerabilities #124)
• f1a5d21 chore: release version v0.15.4
• c5ddb0b chore: update contributors
• ff4b764 chore: update deps ([Snyk] Security upgrade ipfs from 0.30.0 to 0.51.0 #123)
• d07d1b7 chore: release version v0.15.3
• 9934161 chore: update contributors

See the full diff

Package name: mafmt

The new version differs by 47 commits.

• 41dfe7c chore: release version v10.0.0
• c522889 chore: update contributors
• 2785b23 chore: upgrade multiaddr ([Snyk] Security upgrade electron from 2.0.18 to 9.4.0 #81)
• 14d8cae Upgrade to GitHub-native Dependabot ([Snyk] Security upgrade electron from 2.0.18 to 9.4.4 #80)
• e80cbe6 chore: release version v9.0.0
• 58c3f55 chore: update contributors
• d20caf5 chore: update deps and types ([Snyk] Security upgrade electron from 2.0.18 to 7.3.1 #79)
• 5c177cd chore: add util dev dep
• 1d9532a chore(deps-dev): bump aegir from 31.0.4 to 32.0.2
• 2524351 chore(deps-dev): bump aegir from 30.3.0 to 31.0.3 ([Snyk] Security upgrade aegir from 14.0.0 to 15.0.0 #74)
• 6a8b586 chore: fix lint
• 175e166 chore(deps-dev): bump aegir from 29.2.2 to 30.3.0
• e1dedc8 chore: release version v8.0.4
• edc37b4 chore: update contributors
• ac7d10c feat: add QUIC support ([Snyk] Security upgrade aegir from 14.0.0 to 15.0.0 #70)
• 38a1f1f chore: release version v8.0.3
• ce180cc chore: update contributors
• c8430c1 fix: add webrtc direct with p2p as valid P2P multiaddr ([Snyk] Security upgrade electron from 2.0.18 to 12.2.3 #71)
• f5beeee chore: release version v8.0.2
• a4ee2a9 chore: update contributors
• 10e131d chore: fix json format ts config ([Snyk] Security upgrade electron from 2.0.18 to 11.4.10 #68)
• 810466c chore(deps-dev): bump uint8arrays from 1.1.0 to 2.0.5 ([Snyk] Security upgrade electron from 2.0.18 to 10.4.4 #66)
• 161aa30 chore(deps-dev): bump aegir from 28.2.0 to 29.0.1 ([Snyk] Security upgrade ipfs from 0.30.0 to 0.55.0 #64)
• b02922e chore: release version v8.0.1

See the full diff

Package name: multiaddr

The new version differs by 118 commits.

• 5f1e3d6 chore: release version v10.0.1
• 665ece7 chore: update contributors
• 1296370 chore: remove .DS_Store file
• 19e6f14 chore: update uint8arrays ([Snyk] Fix for 26 vulnerabilities #206)
• 3014294 chore: release version v10.0.0
• 755d494 chore: update contributors
• 7e3aff9 chore: update to new multiformats ([Snyk] Security upgrade electron from 2.0.18 to 25.9.4 #200)
• 0b3bfe5 chore: release version v9.0.2
• 25a37c0 chore: update contributors
• 2201344 Support buffer with any byteOffset values instead of 0 ([Snyk] Fix for 7 vulnerabilities #201)
• a95b991 chore(deps-dev): bump sinon from 10.0.1 to 11.1.1 ([Snyk] Security upgrade electron from 2.0.18 to 23.2.3 #199)
• b58474f chore: release version v9.0.1
• cc9e03e chore: update contributors
• 54633f4 fix: types property ([Snyk] Security upgrade aegir from 14.0.0 to 37.0.0 #195)
• 9067450 chore: update changelog with breaking change examples
• ac7da1b chore: release version v9.0.0
• 15f36bc chore: update contributors
• 7d284e4 feat: add types ([Snyk] Fix for 1 vulnerabilities #189)
• aac0144 chore: release version v8.1.2
• d56cf70 chore: update contributors
• 0ac20ba fix: tell bundlers to return false for node dns module ([Snyk] Security upgrade html-webpack-plugin from 2.30.1 to 4.0.0 #163)
• 1cc85e3 chore: make tsconfig valid json ([Snyk] Security upgrade webpack from 2.7.0 to 3.0.0 #162)
• 967b845 chore(deps-dev): bump aegir from 28.2.0 to 29.0.1 ([Snyk] Security upgrade html-webpack-plugin from 2.30.1 to 4.0.0 #158)
• 449d49b chore: release version v8.1.1

See the full diff

Package name: multiaddr-to-uri

The new version differs by 21 commits.

• 66e7bed 8.0.0
• 06815b4 chore: update deps ([Snyk] Security upgrade electron from 2.0.18 to 12.2.3 #71)
• 0f451ea 7.0.0
• 7b7261e chore: update devDeps
• 0990778 chore: update multiaddr ([Snyk] Security upgrade electron from 2.0.18 to 10.4.4 #66)
• 5020cc1 6.0.0
• d8dedbd chore: update dependencies
• 888da27 chore(deps): bump minimist from 1.2.0 to 1.2.5 (DepShield encountered errors while building your project #46)
• 5406483 chore(deps): [security] bump acorn from 7.1.0 to 7.4.0 ([Snyk] Security upgrade ipfs from 0.30.0 to 0.50.0 #42)
• 7947b26 chore(deps): bump lodash from 4.17.15 to 4.17.19 ([Snyk] Security upgrade read-pkg-up from 4.0.0 to 8.0.0 #40)
• 599019b chore(deps-dev): bump nyc from 15.0.0 to 15.1.0 ([Snyk] Fix for 1 vulnerabilities #34)
• 36b1ad3 chore(deps-dev): bump standard from 14.3.1 to 14.3.4 ([Snyk] Security upgrade ipfs from 0.30.0 to 0.51.0 #33)
• e2caa85 chore: update deps ([Snyk] Security upgrade libp2p-webrtc-star from 0.15.8 to 0.20.7 #45)
• 73966a9 5.1.0
• 3021c00 feat: retain aliased protocols ([Snyk] Fix for 1 vulnerabilities #11)
• 5afa996 5.0.0
• a338d53 chore: update dependencies
• 0bcf4c9 chore: update travis config
• f54eb2c chore: update repo URL
• 3eefbb5 chore: udate devDependencies
• adda936 feat: assume HTTP when multiaddr ends with /tcp ([Snyk] Fix for 1 vulnerabilities #7)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Server-side Request Forgery (SSRF)

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/ipfs-repo@0.27.1	Transitive: environment, filesystem	+28	10.7 MB	jacobheun
npm/ipld@0.30.2	Transitive: filesystem, network	+38	17.7 MB	achingbrain
npm/libp2p-bootstrap@0.13.0	Transitive: environment, filesystem, network	+24	17.2 MB	vascosantos
npm/libp2p-kad-dht@0.19.9	Transitive: environment, eval, filesystem, network	+83	31 MB	vascosantos
npm/libp2p-mdns@0.17.0	Transitive: filesystem, network	+21	15.8 MB	vascosantos
npm/libp2p-secio@0.12.6	Transitive: environment, eval	+47	24.9 MB	jacobheun
npm/libp2p-tcp@0.17.2	network	+15	1.25 MB	vascosantos
npm/libp2p-webrtc-star@0.23.0	Transitive: environment, filesystem, network, shell, unsafe	+99	22.5 MB	vascosantos
npm/libp2p-websockets@0.16.2	Transitive: filesystem, network	+37	1.8 MB	achingbrain
npm/libp2p@0.32.5	Transitive: environment, filesystem, network, shell	+107	21.2 MB	vascosantos
npm/mafmt@10.0.0	Transitive: network	+5	719 kB	vascosantos
npm/multiaddr-to-uri@8.0.0	Transitive: network	+5	681 kB	achingbrain
npm/multiaddr@10.0.1	Transitive: network	+4	670 kB	vascosantos

🚮 Removed packages: npm/libp2p@0.23.1, npm/multiaddr-to-uri@4.0.1

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source
Native code	npm/leveldown@5.6.0	Location: Package overview	examples/custom-ipfs-repo/package.json examples/custom-libp2p/package.json examples/ipfs-101/package.json package.json
Install scripts	npm/protobufjs@6.11.4	Install script: postinstall Source: node scripts/postinstall	examples/custom-ipfs-repo/package.json examples/custom-libp2p/package.json examples/ipfs-101/package.json package.json
HTTP dependency	npm/ipfs-utils@8.1.6	Dependency: node-fetch@https://registry.npmjs.org/@achingbrain/node-fetch/-/node-fetch-2.6.7.tgz Location: Package overview	examples/custom-ipfs-repo/package.json examples/custom-libp2p/package.json examples/ipfs-101/package.json package.json
Install scripts	npm/level@5.0.1	Install script: postinstall Source: opencollective-postinstall || exit 0	examples/custom-ipfs-repo/package.json examples/custom-libp2p/package.json examples/ipfs-101/package.json package.json

View full report↗︎

Next steps

What's wrong with native code?

Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.

Ensure that native code bindings are expected. Consumers may consider pure JS and functionally similar alternatives to avoid the challenges and risks associated with native code bindings.

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

What are http dependencies?

Contains a dependency which resolves to a remote HTTP URL which could be used to inject untrusted code and reduce overall package reliability.

Publish the HTTP URL dependency to npm or a private package repository and consume it from there.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/leveldown@5.6.0
• @SocketSecurity ignore npm/protobufjs@6.11.4
• @SocketSecurity ignore npm/ipfs-utils@8.1.6
• @SocketSecurity ignore npm/level@5.0.1