Thanks @amarbardolia! Shouldn't there be a change in package.json to make the override more explicit?

@webpro Thanks for the review. I can't think of a reason to update package.json file. And FYI the changes I added were the outcome of npm audit fix. Let me know if you still think there should be a change in package.json file with a snippet and would be happy to submit it.

I mean overrides: https://docs.npmjs.com/cli/configuring-npm/package-json#overrides

@webpro you mean we should add overrides in our repo's package.json instead of updating release-it repo?

No, in the package.json of release-it itself, so the package manager knows about it. The lockfile isn't published!

@webpro Thanks. Added overrides for vulnerable packages.

pac-resolver and socks packages were upgraded to get rid of ip package

TooTallNate/proxy-agents#281 JoshGlazebrook/socks#94

Thanks!

Alongside also upgraded vulnerable braces package to 3.0.3

Why did you upgrade braces and why is it in overrides? It doesn't seem to be using ip.

We could upgrade it, but seems to me it's a different thing that's not supposed to go into overrides (nor in this PR).

Thanks @webpro. I have removed braces from overrides. It was also reported as a vulnerability (unrelated to ip package) so thought to address it as a part of this PR.

Sorry, we could pick that up in a separate PR if you still want?

Can't we also just upgrade proxy-agent now, instead of using the overrides? See https://github.com/TooTallNate/proxy-agents/commits/main/

I'll update some dependencies now and publish, then we can do another scan?

Unfortunately the container package proxy-agent wasn't updated upstream.

Thanks @amarbardolia!

🚀 This pull request is included in v17.4.2. See Release 17.4.2 for release notes.

Unfortunately the container package proxy-agent wasn't updated upstream.

Yup. That's why couldn't upgrade it. Thanks @webpro for merge and release.