Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

deps: bump is-ip from 4.0.0 to 5.0.0 #260

Merged
merged 1 commit into from
Aug 30, 2022

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jul 25, 2022

Bumps is-ip from 4.0.0 to 5.0.0.

Release notes

Sourced from is-ip's releases.

v5.0.0

Breaking

  • Require Node.js 14 3860056

sindresorhus/is-ip@v4.0.0...v5.0.0

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [is-ip](https://github.com/sindresorhus/is-ip) from 4.0.0 to 5.0.0.
- [Release notes](https://github.com/sindresorhus/is-ip/releases)
- [Commits](sindresorhus/is-ip@v4.0.0...v5.0.0)

---
updated-dependencies:
- dependency-name: is-ip
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Jul 25, 2022
@achingbrain achingbrain merged commit 3cd4699 into master Aug 30, 2022
@achingbrain achingbrain deleted the dependabot/npm_and_yarn/is-ip-5.0.0 branch August 30, 2022 13:14
github-actions bot pushed a commit that referenced this pull request Aug 30, 2022
## [10.3.5](v10.3.4...v10.3.5) (2022-08-30)

### Trivial Changes

* update project config ([#265](#265)) ([4d3ba0c](4d3ba0c))

### Dependencies

* bump is-ip from 4.0.0 to 5.0.0 ([#260](#260)) ([3cd4699](3cd4699))
@github-actions
Copy link

🎉 This PR is included in version 10.3.5 🎉

The release is available on:

Your semantic-release bot 📦🚀

@wemeetagain
Copy link
Contributor

@achingbrain see ChainSafe/lodestar#4689

is-ip 5.0.0 is significantly slower due to wrapping the regex call in the super-regex library.
Recommendation to revert this PR or roll our own dependency.

@wemeetagain
Copy link
Contributor

If we need better protection against regex DoS, we should be able to limit the input string in some ways without resorting to nifty but slow techniques like super-regex.

@achingbrain
Copy link
Member

I've opened sindresorhus/is-ip#14

@sindresorhus
Copy link

If we need better protection against regex DoS, we should be able to limit the input string in some ways without resorting to nifty but slow techniques

Unfortunately from experience, this is not always enough. A malicious input could make the regex crawl to a halt in 20 characters.

@sindresorhus
Copy link

I'm the author of is-ip. I'm happy to add an option to skip super-regex, but I think you want the ReDoS protection. I'm open to other ideas.

Alternatively, you can just use ip-regex package directly.

@wemeetagain
Copy link
Contributor

wemeetagain commented Oct 25, 2022

Hey @sindresorhus thanks for replying :)

We def don't want to be vulnerable to DoS attacks. But we also are running into performance issues with the current approach.

Some possible directions:

  • If we can determine that there are some uses of is-ip that are trusted / we know won't pass in malicious input. We could use regex and skip the call to super-regex.

  • If we can use or build something less generic than regex that doesn't have the same worst-case properties.
    Eg: rust std has a custom parser to parse IP addrs from strings: https://doc.rust-lang.org/src/std/net/parser.rs.html#36

  • use net.isIP?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file released
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants