search

digitalfabrik / lunes-app

The front end for the Lunes vocabulary trainer. Back end: https://github.com/digitalfabrik/lunes-cms
https://lunes.app
Apache License 2.0
23 stars 5 forks source link

NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks #1006

Closed ztefanie closed 4 months ago

ztefanie commented 5 months ago

Is your feature request related to a problem? Please describe. All packages using the ip package should be updated, so the ip package version is > (greater not greater equal!) 2.0.0

Additional context See here: https://github.com/digitalfabrik/integreat-app/security/dependabot/149 Packages that need updates are:

   - Hoisted from "_project_#native#react-native#@react-native-community#cli#@react-native-community#cli-doctor#ip"
   - Hoisted from "_project_#native#react-native#@react-native-community#cli#@react-native-community#cli-hermes#ip

Use yarn why ip to check if all occurences are updated correctly.

LeandraH commented 5 months ago

From https://github.com/react-native-community/cli/issues/2294 : FYI, the only affected command is profile-hermes when producing source maps. If you're not using it on a server (e.g. your CI), you're safe to ignore this and wait for us to patch it once we have a proper solution. If you are using it however, please disable it temporarily.

We don't use profile-hermes as far as I can tell, so we should be able to just wait for them.

sarahsporck commented 4 months ago

Will be closed by #1007