[Security] Bump ip from 2.0.0 to 2.0.1 (!141) · Merge requests · tools / chat

Dependabot requested to merge dependabot-npm_and_yarn-ip-2.0.1 into master Feb 19, 2024

Bumps ip from 2.0.0 to 2.0.1. This update includes a security fix.

Vulnerabilities fixed

NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks An issue in all published versions of the NPM package ip allows an attacker to execute arbitrary code and obtain sensitive information via the isPublic() function. This can lead to potential Server-Side Request Forgery (SSRF) attacks. The core issue is the function's failure to accurately distinguish between public and private IP addresses.

Patched versions: none Affected versions: <= 2.0.0

Commits

3b0994a 2.0.1
32f468f lib: fixed CVE-2023-42282 and added unit test
See full diff in compare view

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

$dependabot rebase will rebase this MR
$dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

[Security] Bump ip from 2.0.0 to 2.0.1

Merge request reports