search

minio / operator

Simple Kubernetes Operator for MinIO clusters :computer:
https://min.io/docs/minio/kubernetes/upstream/index.html
GNU Affero General Public License v3.0
1.21k stars 452 forks source link

Upgrade package ip #2147

Closed ramondeklein closed 2 months ago

ramondeklein commented 4 months ago

NPM package auditing resulted in the following message:

└─ ip
   ├─ ID: 1097346
   ├─ Issue: ip SSRF improper categorization in isPublic
   ├─ URL: https://github.com/advisories/GHSA-2p57-rm9w-gvfp
   ├─ Severity: high
   ├─ Vulnerable Versions: <=2.0.1
   │ 
   ├─ Tree Versions
   │  └─ 2.0.1
   │ 
   └─ Dependents
      └─ web-app@workspace:.

The ip NPM package has a known security issue and needs to be upgraded. Once the package is upgraded then the line --ignore '1097346' can be removed from the ui.yaml workflow.

ramondeklein commented 4 months ago

There is no updated version available yet.

cesnietor commented 4 months ago

context: https://github.com/indutny/node-ip/issues/150

msummers42 commented 3 months ago

Came across this as a consumer of this package and a user of minio. It appears the upstream has archived the repo. We are considering moving to this fork https://github.com/eggjs/node-ip as we evaluate usage. It's tricky due to the sheer number of dependent projects.

ramondeklein commented 3 months ago

@msummers42 Thanks for mentioning that https://github.com/indutny/node-ip is now archived. It looks like our repo isn't affected by the security issue, but relying on an archived package is never a good idea.

@cesnietor I think we should check what exactly depends on this package and how to fix that.

pjuarezd commented 2 months ago

now that Operatoe console is deprecated we no longer need to upgrade the ip package