NPM audit failing due to vulnerability in `ip` dependency

[marshmn]

Describe the bug

Since yesterday, the NPM audit of my application (which uses unleash-client) has been failing due to what looks to be a vulnerability in the ip dependency:

$ npm audit --omit=dev
# npm audit report
ip  *
Severity: high
ip SSRF improper categorization in isPublic - https://github.com/advisories/GHSA-2p57-rm9w-gvfp
fix available via `npm audit fix --force`
Will install unleash-client@2.3.0, which is a breaking change
node_modules/ip
  unleash-client  >=2.3.1
  Depends on vulnerable versions of ip
  node_modules/unleash-client
2 high severity vulnerabilities

It looks like the dependency will need updating.

Steps to reproduce the bug

No response

Expected behavior

No response

Logs, error output, etc.

No response

Screenshots

No response

Additional context

No response

Unleash version

No response

Subscription type

None

Hosting type

None

SDK information (language and version)

No response

[madsop-nav]

This is the CVE: https://nvd.nist.gov/vuln/detail/CVE-2024-29415

[chriswk]

Hi. Thanks for the report. There's no current workaround here. No patch has yet been released for ip. The only usage of the ip library in the client is for the remote address strategy, to see if the req.ip matches what has been defined in properties; so reading the CVE it doesn't seem like we would run into a problem here. But I see that failing the scan can be a dealbreaker, so we'll pay attention and release an upgrade as soon as the ip library releases a patch/fix.

[SimenB]

Also notable: https://github.com/indutny/node-ip/issues/150#issuecomment-2144912654

[alexleonov-tactiq]

@chriswk ip is poorly maintained, so there may be better options like mentioned in https://github.com/storybookjs/storybook/issues/26014#issuecomment-1942959058

[anjakunkel]

Please release this as soon as possible, as it resolves auditing issues.