Skip to content

Bump ip-address and socks#56

Open
dependabot[bot] wants to merge 4 commits into
mainfrom
dependabot/npm_and_yarn/multi-c7d2a75057
Open

Bump ip-address and socks#56
dependabot[bot] wants to merge 4 commits into
mainfrom
dependabot/npm_and_yarn/multi-c7d2a75057

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 13, 2026
edited by cursor Bot
Loading

Copy link
Copy Markdown

Bumps ip-address and socks. These dependencies needed to be updated together.
Updates ip-address from 9.0.5 to 10.2.0

Commits

Updates socks from 2.8.3 to 2.8.9

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note

Low Risk
Low risk lockfile-only dependency bumps, but they touch SOCKS/IP parsing libraries so proxy/network-related tooling could behave differently if relied on in dev workflows.

Overview
Updates package-lock.json to bump ip-address from 9.0.5 to 10.2.0 and socks from 2.8.3 to 2.8.9 (with socks now depending on ip-address ^10.1.1).

This removes transitive deps (jsbn, sprintf-js) that were previously pulled in via ip-address, and adds license metadata for the updated packages.

Reviewed by Cursor Bugbot for commit bd5b1c3. Bugbot is set up for automated code reviews on this repo. Configure here.

@dependabot
Bump ip-address and socks
b995b80 
Bumps [ip-address](https://github.com/beaugunderson/ip-address) and [socks](https://github.com/JoshGlazebrook/socks). These dependencies needed to be updated together.

Updates `ip-address` from 9.0.5 to 10.2.0
- [Commits](https://github.com/beaugunderson/ip-address/commits)

Updates `socks` from 2.8.3 to 2.8.9
- [Release notes](https://github.com/JoshGlazebrook/socks/releases)
- [Commits](JoshGlazebrook/socks@2.8.3...2.8.9)

---
updated-dependencies:
- dependency-name: ip-address
  dependency-version: 10.2.0
  dependency-type: indirect
- dependency-name: socks
  dependency-version: 2.8.9
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 13, 2026
@github-actions

github-actions Bot commented May 13, 2026

Copy link
Copy Markdown

🚨 Supply-chain cooldown check failed

1 package(s) below the 7-day cooldown threshold.

This guards against supply-chain attacks (e.g. Mini Shai-Hulud) where a malicious version is published and exfiltrates within hours. Wait until the version ages out, pin to an older known-good version, or add the security/cooldown-override label after manual review of the package's publish history.

Ecosystem Package Version Published Age
npm socks 2.8.9 2026-05-08T19:49:47 4.2 days

How to unblock

  1. Wait it out. Most safe choice. The package will pass the check in 7 days minus its current age.
  2. Pin to an older version. Update your spec or lockfile to a version published > 7 days ago.
  3. Override. Add the security/cooldown-override label after manually verifying the package's npm/PyPI history, maintainer, and changelog. The override is logged in PR history; reviewers can audit.

Generated by supply-chain-guard.

SemiKyle added 3 commits May 13, 2026 14:58
@SemiKyle
chore: retrigger cooldown check
de14454 
Cooldown workflow injection was misconfigured between supply-chain-guard#4 (2026-05-13T19:37:38Z) and #5 (19:54:58Z). Empty commit forces pull_request synchronize so the now-correct ruleset re-evaluates this PR.
@SemiKyle
chore: retrigger cooldown check
989e5b2 
Cooldown workflow injection was misconfigured between supply-chain-guard#4 (2026-05-13T19:37:38Z) and #5 (19:54:58Z). Empty commit forces pull_request synchronize so the now-correct ruleset re-evaluates this PR.
@SemiKyle
chore: retrigger cooldown check
bd5b1c3 
Cooldown workflow injection was misconfigured between supply-chain-guard#4 (2026-05-13T19:37:38Z) and #5 (19:54:58Z). Empty commit forces pull_request synchronize so the now-correct ruleset re-evaluates this PR.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@SemiKyle