Skip to content
Snippets Groups Projects

[Security] Bump ip from 2.0.0 to 2.0.1

Merged [Security] Bump ip from 2.0.0 to 2.0.1
dependabot-npm_and_yarn-ip-2.0.1 into master
Merged Dependabot requested to merge dependabot-npm_and_yarn-ip-2.0.1 into master

Bumps ip from 2.0.0 to 2.0.1. This update includes a security fix.

Vulnerabilities fixed

NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks An issue in all published versions of the NPM package ip allows an attacker to execute arbitrary code and obtain sensitive information via the isPublic() function. This can lead to potential Server-Side Request Forgery (SSRF) attacks. The core issue is the function's failure to accurately distinguish between public and private IP addresses.

Patched versions: none Affected versions: <= 2.0.0

Commits

Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot rebase will rebase this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports

Merge request pipeline #11164 passed

Stage: test

Merge request pipeline passed for 38288dc0

Merged by DependabotDependabot 1 year ago (Feb 19, 2024 5:52am UTC)

Loading

Pipeline #11165 passed

Stage: test
Stage: deploy

Pipeline passed for 8757c3d2 on master

Deployed to produ‎ction‎ 1 year ago
View app

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
Please register or sign in to reply