Skip to content

[Security] Bump ip from 1.1.8 to 1.1.9

Dependabot requested to merge dependabot-npm_and_yarn-ip-1.1.9 into master

Bumps ip from 1.1.8 to 1.1.9. This update includes a security fix.

Vulnerabilities fixed

NPM IP package incorrectly identifies some private IP addresses as public The isPublic() function in the NPM package ip doesn't correctly identify certain private IP addresses in uncommon formats such as 0x7F.1 as private. Instead, it reports them as public by returning true. This can lead to security issues such as Server-Side Request Forgery (SSRF) if isPublic() is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.

Patched versions: 1.1.9 Affected versions: < 1.1.9

Commits


Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports

Loading