Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace vulnerable ip dependency #586

Closed
madsop-nav opened this issue Feb 14, 2024 · 6 comments · Fixed by #591
Closed

Replace vulnerable ip dependency #586

madsop-nav opened this issue Feb 14, 2024 · 6 comments · Fixed by #591
Assignees
@gastonfournier
Labels
enhancement

Comments

@madsop-nav
Copy link

Describe the feature request

Replace the ip library with for instance ip-address

Background

The ip library has a severe CVE: indutny/node-ip#136

Solution suggestions

No response
@kwasniew
Copy link
Contributor

Thanks for the report. We never use this package to distinguish between public and private IP addresses which is the core of the vulnerability. We're monitoring a PR with a fix anyway: indutny/node-ip#138 and will apply it asap.

@Henning3110
Copy link

It seems there was a release this morning without the vulnerability: https://github.com/indutny/node-ip/releases/tag/v2.0.1

@gastonfournier gastonfournier self-assigned this Feb 19, 2024
@gastonfournier
Copy link
Contributor

@Henning3110 @madsop-nav we'll be patching 5.5.0 with this new version. Will that be enough for your use case?

@gastonfournier gastonfournier mentioned this issue Feb 19, 2024
Merged
@madsop-nav
Copy link
Author

@Henning3110 @madsop-nav we'll be patching 5.5.0 with this new version. Will that be enough for your use case?

Yes, that'd be sufficient indeed. Thanks!

@Henning3110
Copy link

Of course. Thank you for the quick implementation.

@gastonfournier
Copy link
Contributor

https://github.com/Unleash/unleash-client-node/releases/tag/v5.5.1 is out, please reach out if there's any problem! Thanks!

@danilofuchs danilofuchs mentioned this issue Feb 20, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gastonfournier gastonfournier

Labels
enhancement
Projects
Issues and PRs
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(security): bump node-ip dependency Unleash/unleash-client-node
4 participants
@gastonfournier @kwasniew @Henning3110 @madsop-nav