Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

NPM audit failing due to vulnerability in ip dependency #620

Closed
marshmn opened this issue Jun 4, 2024 · 5 comments · Fixed by #622
Closed

NPM audit failing due to vulnerability in ip dependency #620

marshmn opened this issue Jun 4, 2024 · 5 comments · Fixed by #622
Assignees
@chriswk
Labels
bug

Comments

@marshmn
Copy link

marshmn commented Jun 4, 2024

Describe the bug

Since yesterday, the NPM audit of my application (which uses unleash-client) has been failing due to what looks to be a vulnerability in the ip dependency:

$ npm audit --omit=dev
# npm audit report
ip  *
Severity: high
ip SSRF improper categorization in isPublic - https://github.com/advisories/GHSA-2p57-rm9w-gvfp
fix available via `npm audit fix --force`
Will install unleash-client@2.3.0, which is a breaking change
node_modules/ip
  unleash-client  >=2.3.1
  Depends on vulnerable versions of ip
  node_modules/unleash-client
2 high severity vulnerabilities

It looks like the dependency will need updating.

Steps to reproduce the bug

No response

Expected behavior

No response

Logs, error output, etc.

No response

Screenshots

No response

Additional context

No response

Unleash version

No response

Subscription type

None

Hosting type

None

SDK information (language and version)

No response
@marshmn marshmn added the bug label Jun 4, 2024
@madsop-nav
Copy link

This is the CVE: https://nvd.nist.gov/vuln/detail/CVE-2024-29415

@chriswk
Copy link
Member

chriswk commented Jun 5, 2024

Hi. Thanks for the report. There's no current workaround here. No patch has yet been released for ip. The only usage of the ip library in the client is for the remote address strategy, to see if the req.ip matches what has been defined in properties; so reading the CVE it doesn't seem like we would run into a problem here. But I see that failing the scan can be a dealbreaker, so we'll pay attention and release an upgrade as soon as the ip library releases a patch/fix.

@chriswk chriswk moved this from New to Blocked in Issues and PRs Jun 5, 2024
@chriswk chriswk self-assigned this Jun 5, 2024
@SimenB
Copy link
Collaborator

SimenB commented Jun 5, 2024

Also notable: indutny/node-ip#150 (comment)

@alexleonov-tactiq
Copy link

@chriswk ip is poorly maintained, so there may be better options like mentioned in storybookjs/storybook#26014 (comment)

lpessoa added a commit to lpessoa/unleash-client-node that referenced this issue Jun 8, 2024
@lpessoa
feat: replacing ip package for ip-address package
9890fbf 
Fixes Unleash#620

Replacing `ip` pacakage for `ip-address` package to address https://nvd.nist.gov/vuln/detail/CVE-2024-29415.
@lpessoa lpessoa mentioned this issue Jun 8, 2024
Merged
chriswk pushed a commit that referenced this issue Jun 13, 2024
@lpessoa
feat: replacing ip package for ip-address package (#622)
7ee1e5d 
* feat: replacing ip package for ip-address package

Fixes #620

Replacing `ip` package for `ip-address` package to address https://nvd.nist.gov/vuln/detail/CVE-2024-29415.
@github-project-automation github-project-automation bot moved this from Blocked to Done in Issues and PRs Jun 13, 2024
@anjakunkel
Copy link

Please release this as soon as possible, as it resolves auditing issues.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@chriswk chriswk

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: replacing ip package for ip-address package lpessoa/unleash-client-node
6 participants
@chriswk @SimenB @marshmn @anjakunkel @madsop-nav @alexleonov-tactiq