Open bert-bae opened 3 months ago
npm version 10.5.0 is using socks 2.8.0 npm/cli#7184 (files)
which replaced the problematic ip package https://github.com/JoshGlazebrook/socks/commit/66b7f73023697f6ffb9751b5749b1a8f9b8d5066#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519L48
it's avaiable in node versions:
>= 21.7.0
>= 20.12.0
>= 18.20.0
Looks like this has been updated in the latest image: https://github.com/nodejs/docker-node/commit/e8dc03502488e162b6860a6adc3ee8e8ae517e87
I am using node:20.11.0-alpine, got the same as bellow:
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
ps, i use pnpm and after install the ip 2.0.1 , still got this issue
Node Alpine 18.19-alpine3.19 and below have the "ip" package vulnerability. NIST issue link
Although the images are using ip@2.0.0, it looks like the proper fix is applied in ip@2.0.1. Since it is a dependency of
npm
, it appears updating the npm version to the latest will resolve the issue.Impacted versions: <=0.4.23 Discovered: Feb 8, 2024 Updated: Mar 6, 2024
Related issues: