[Security] Bump ip from 1.1.8 to 1.1.9 (!169) · Merge requests · games / drraw

Dependabot requested to merge dependabot-npm_and_yarn-ip-1.1.9 into master Mar 12, 2024

Bumps ip from 1.1.8 to 1.1.9. This update includes a security fix.

Vulnerabilities fixed

NPM IP package incorrectly identifies some private IP addresses as public The isPublic() function in the NPM package ip doesn't correctly identify certain private IP addresses in uncommon formats such as 0x7F.1 as private. Instead, it reports them as public by returning true. This can lead to security issues such as Server-Side Request Forgery (SSRF) if isPublic() is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.

Patched versions: 1.1.9 Affected versions: < 1.1.9

Commits

1ecbf2f 1.1.9
6a3ada9 lib: fixed CVE-2023-42282 and added unit test
See full diff in compare view

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

$dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

[Security] Bump ip from 1.1.8 to 1.1.9

Merge request reports