From b11e601a3fa8ce470d2a8706862aa9b730534256 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Thu, 7 May 2026 12:59:55 +0000
Subject: [PATCH] chore(deps): bump ip-address to 10.2.0 (GHSA-v2v4-37r5-5v8g)

- Add root overrides.ip-address: ^10.1.1 to force all transitive
  consumers (@mongodb-js/socksv5@0.0.10, socks@2.8.3) onto the
  patched release; @mongodb-js/socksv5 has no newer release that
  clears the advisory, so the override is the only viable lockfile fix
- Bump packages/devtools-connect socks range from ^2.7.3 to ^2.8.8
  so the workspace-local copy also uses the version that officially
  ships ip-address@^10.1.1

Fixes GHSA-v2v4-37r5-5v8g / CVE-2026-42338 (Dependabot alert #257)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 package-lock.json                      | 76 ++++++++++++--------------
 package.json                           |  3 +
 packages/devtools-connect/package.json |  2 +-
 3 files changed, 40 insertions(+), 41 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 5b1c42ea..063f2f8c 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -18079,27 +18079,14 @@
       }
     },
     "node_modules/ip-address": {
-      "version": "9.0.5",
-      "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-9.0.5.tgz",
-      "integrity": "sha512-zHtQzGojZXTwZTHQqra+ETKd4Sn3vgi7uBmlPoXVWZqYvuKmtI0l/VZTjqGmJY9x88GGOaZ9+G9ES8hC4T4X8g==",
-      "dependencies": {
-        "jsbn": "1.1.0",
-        "sprintf-js": "^1.1.3"
-      },
+      "version": "10.2.0",
+      "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-10.2.0.tgz",
+      "integrity": "sha512-/+S6j4E9AHvW9SWMSEY9Xfy66O5PWvVEJ08O0y5JGyEKQpojb0K0GKpz/v5HJ/G0vi3D2sjGK78119oXZeE0qA==",
+      "license": "MIT",
       "engines": {
         "node": ">= 12"
       }
     },
-    "node_modules/ip-address/node_modules/jsbn": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/jsbn/-/jsbn-1.1.0.tgz",
-      "integrity": "sha512-4bYVV3aAMtDTTu4+xsDYa6sy9GyJ69/amsu9sYF2zqjiEoZA5xJi3BrfX3uY+/IekIu7MwdObdbDWpoZdBv3/A=="
-    },
-    "node_modules/ip-address/node_modules/sprintf-js": {
-      "version": "1.1.3",
-      "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.1.3.tgz",
-      "integrity": "sha512-Oo+0REFV59/rz3gfJNKQiBlwfHaSESl1pcGyABQsnnIfWOFt6JNj5gCog2U6MLZ//IGYD+nA8nI+mTShREReaA=="
-    },
     "node_modules/ip-range-check": {
       "version": "0.0.1",
       "resolved": "https://registry.npmjs.org/ip-range-check/-/ip-range-check-0.0.1.tgz",
@@ -28373,7 +28360,7 @@
         "@mongodb-js/oidc-http-server-pages": "1.2.12",
         "lodash.merge": "^4.6.2",
         "mongodb-connection-string-url": "^3.0.1 || ^7.0.0",
-        "socks": "^2.7.3"
+        "socks": "^2.8.8"
       },
       "devDependencies": {
         "@mongodb-js/oidc-plugin": "^2.0.8",
@@ -28417,6 +28404,20 @@
         "mongodb-log-writer": "^2.5.12"
       }
     },
+    "packages/devtools-connect/node_modules/socks": {
+      "version": "2.8.8",
+      "resolved": "https://registry.npmjs.org/socks/-/socks-2.8.8.tgz",
+      "integrity": "sha512-NlGELfPrgX2f1TAAcz0WawlLn+0r3FyhhCRpFFK2CemXenPYvzMWWZINv3eDNo9ucdwme7oCHRY0Jnbs4aIkog==",
+      "license": "MIT",
+      "dependencies": {
+        "ip-address": "^10.1.1",
+        "smart-buffer": "^4.2.0"
+      },
+      "engines": {
+        "node": ">= 10.0.0",
+        "npm": ">= 3.0.0"
+      }
+    },
     "packages/devtools-proxy-support": {
       "name": "@mongodb-js/devtools-proxy-support",
       "version": "0.7.13",
@@ -35913,10 +35914,21 @@
         "prettier": "^3.8.1",
         "resolve-mongodb-srv": "^1.1.1",
         "sinon-chai": "^4.0.1",
-        "socks": "^2.7.3",
+        "socks": "^2.8.8",
         "ts-node": "^10.9.2",
         "ts-sinon": "^2.0.1",
         "typescript": "^5.9.3"
+      },
+      "dependencies": {
+        "socks": {
+          "version": "2.8.8",
+          "resolved": "https://registry.npmjs.org/socks/-/socks-2.8.8.tgz",
+          "integrity": "sha512-NlGELfPrgX2f1TAAcz0WawlLn+0r3FyhhCRpFFK2CemXenPYvzMWWZINv3eDNo9ucdwme7oCHRY0Jnbs4aIkog==",
+          "requires": {
+            "ip-address": "^10.1.1",
+            "smart-buffer": "^4.2.0"
+          }
+        }
       }
     },
     "@mongodb-js/devtools-proxy-support": {
@@ -37200,7 +37212,7 @@
       "resolved": "https://registry.npmjs.org/@mongodb-js/socksv5/-/socksv5-0.0.10.tgz",
       "integrity": "sha512-JDz2fLKsjMiSNUxKrCpGptsgu7DzsXfu4gnUQ3RhUaBS1d4YbLrt6HejpckAiHIAa+niBpZAeiUsoop0IihWsw==",
       "requires": {
-        "ip-address": "^9.0.5"
+        "ip-address": "^10.1.1"
       }
     },
     "@mongodb-js/ts-autocomplete": {
@@ -45332,25 +45344,9 @@
       "dev": true
     },
     "ip-address": {
-      "version": "9.0.5",
-      "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-9.0.5.tgz",
-      "integrity": "sha512-zHtQzGojZXTwZTHQqra+ETKd4Sn3vgi7uBmlPoXVWZqYvuKmtI0l/VZTjqGmJY9x88GGOaZ9+G9ES8hC4T4X8g==",
-      "requires": {
-        "jsbn": "1.1.0",
-        "sprintf-js": "^1.1.3"
-      },
-      "dependencies": {
-        "jsbn": {
-          "version": "1.1.0",
-          "resolved": "https://registry.npmjs.org/jsbn/-/jsbn-1.1.0.tgz",
-          "integrity": "sha512-4bYVV3aAMtDTTu4+xsDYa6sy9GyJ69/amsu9sYF2zqjiEoZA5xJi3BrfX3uY+/IekIu7MwdObdbDWpoZdBv3/A=="
-        },
-        "sprintf-js": {
-          "version": "1.1.3",
-          "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.1.3.tgz",
-          "integrity": "sha512-Oo+0REFV59/rz3gfJNKQiBlwfHaSESl1pcGyABQsnnIfWOFt6JNj5gCog2U6MLZ//IGYD+nA8nI+mTShREReaA=="
-        }
-      }
+      "version": "10.2.0",
+      "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-10.2.0.tgz",
+      "integrity": "sha512-/+S6j4E9AHvW9SWMSEY9Xfy66O5PWvVEJ08O0y5JGyEKQpojb0K0GKpz/v5HJ/G0vi3D2sjGK78119oXZeE0qA=="
     },
     "ip-range-check": {
       "version": "0.0.1",
@@ -51318,7 +51314,7 @@
       "resolved": "https://registry.npmjs.org/socks/-/socks-2.8.3.tgz",
       "integrity": "sha512-l5x7VUUWbjVFbafGLxPWkYsHIhEvmF85tbIeFZWc8ZPtoMyybuEhL7Jye/ooC4/d48FgOjSJXgsF/AJPYCW8Zw==",
       "requires": {
-        "ip-address": "^9.0.5",
+        "ip-address": "^10.1.1",
         "smart-buffer": "^4.2.0"
       }
     },
diff --git a/package.json b/package.json
index 2a1f7b08..5386fca3 100644
--- a/package.json
+++ b/package.json
@@ -51,5 +51,8 @@
     "depcheck": "^1.4.7",
     "husky": "^9.1.7",
     "lerna": "^9.0.7"
+  },
+  "overrides": {
+    "ip-address": "^10.1.1"
   }
 }
diff --git a/packages/devtools-connect/package.json b/packages/devtools-connect/package.json
index a9069d4f..2e17707a 100644
--- a/packages/devtools-connect/package.json
+++ b/packages/devtools-connect/package.json
@@ -51,7 +51,7 @@
     "@mongodb-js/devtools-proxy-support": "^0.7.13",
     "lodash.merge": "^4.6.2",
     "mongodb-connection-string-url": "^3.0.1 || ^7.0.0",
-    "socks": "^2.7.3"
+    "socks": "^2.8.8"
   },
   "peerDependencies": {
     "@mongodb-js/oidc-plugin": "^2.0.8",