Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency ip to v1.1.9 [security] #300

Merged
merged 1 commit into from
Sep 7, 2024
Merged

chore(deps): update dependency ip to v1.1.9 [security] #300

merged 1 commit into from
Sep 7, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Feb 22, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
ip 1.1.8 -> 1.1.9 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-42282

The isPublic() function in the NPM package ip doesn't correctly identify certain private IP addresses in uncommon formats such as 0x7F.1 as private. Instead, it reports them as public by returning true. This can lead to security issues such as Server-Side Request Forgery (SSRF) if isPublic() is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.

Release Notes

indutny/node-ip (ip)

v1.1.9

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the security label Feb 22, 2024
@socket-security Socket Security
Copy link

socket-security bot commented Feb 22, 2024
edited
Loading

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/ip@1.1.9 None 0 15.5 kB indutny

🚮 Removed packages: npm/ip@1.1.8)

View full report↗︎

@renovate renovate bot force-pushed the renovate_npm-ip-vulnerability branch from ea2e022 to f0973f1 Compare June 2, 2024 02:17
@renovate renovate bot force-pushed the renovate_npm-ip-vulnerability branch 2 times, most recently from cf97fc5 to 0103f7e Compare June 17, 2024 22:33
@renovate renovate bot force-pushed the renovate_npm-ip-vulnerability branch from 0103f7e to f781c2e Compare July 28, 2024 11:01
@renovate renovate bot force-pushed the renovate_npm-ip-vulnerability branch from f781c2e to 51997f2 Compare September 7, 2024 02:27
@renovate renovate bot force-pushed the renovate_npm-ip-vulnerability branch from 51997f2 to b7c039c Compare September 7, 2024 08:57
@alxhotel alxhotel merged commit 26d14a4 into master Sep 7, 2024
4 checks passed
@alxhotel alxhotel deleted the renovate_npm-ip-vulnerability branch September 7, 2024 08:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alxhotel alxhotel alxhotel approved these changes

Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@alxhotel