chore: address CVE-2023-42282

[tido64]

Description

The only difference between 1.1.8 and 2.0.0 is the use of Buffer.alloc instead of new Buffer (diff).

For details on the CVE, see GHSA-78xj-cgh5-2h22.

Platforms affected

• Android
• iOS
• macOS
• Windows

Test plan

n/a

[levpachmanov]

Hi @tido64 @kelset,

ip@2.0.0 is affected by CVE-2023-42282 - github/advisory-database#3504
Unfortunately, the library is no longer maintained, so there is no public solution.

We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an ip 1.1.8-sp and 2.0.0-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free.

If relevant, check out our GitHub repo if you wish to learn more, or start using our app.

Please feel free to reach us at info@seal.security if you have any requests/questions.