github-actions[bot]
commented
2 years ago :tada: This PR is included in version 10.3.5 :tada:
The release is available on:
Your semantic-release bot :package::rocket:
Closed dependabot[bot] closed 2 years ago
github-actions[bot]
commented
2 years ago :tada: This PR is included in version 10.3.5 :tada:
The release is available on:
Your semantic-release bot :package::rocket:
wemeetagain
commented
2 years ago @achingbrain see https://github.com/ChainSafe/lodestar/issues/4689
is-ip 5.0.0 is significantly slower due to wrapping the regex call in the super-regex library.
Recommendation to revert this PR or roll our own dependency.
wemeetagain
commented
2 years ago If we need better protection against regex DoS, we should be able to limit the input string in some ways without resorting to nifty but slow techniques like super-regex.
achingbrain
commented
2 years ago I've opened https://github.com/sindresorhus/is-ip/issues/14
sindresorhus
commented
2 years ago If we need better protection against regex DoS, we should be able to limit the input string in some ways without resorting to nifty but slow techniques
Unfortunately from experience, this is not always enough. A malicious input could make the regex crawl to a halt in 20 characters.
sindresorhus
commented
2 years ago I'm the author of is-ip. I'm happy to add an option to skip super-regex, but I think you want the ReDoS protection. I'm open to other ideas.
Alternatively, you can just use ip-regex package directly.
wemeetagain
commented
2 years ago Hey @sindresorhus thanks for replying :)
We def don't want to be vulnerable to DoS attacks. But we also are running into performance issues with the current approach.
Some possible directions:
If we can determine that there are some uses of is-ip that are trusted / we know won't pass in malicious input. We could use regex and skip the call to super-regex.
If we can use or build something less generic than regex that doesn't have the same worst-case properties. Eg: rust std has a custom parser to parse IP addrs from strings: https://doc.rust-lang.org/src/std/net/parser.rs.html#36
use net.isIP?
Bumps is-ip from 4.0.0 to 5.0.0.
Release notes
Sourced from is-ip's releases.
Commits
be5c37a5.0.03860056Require Node.js 146f8e914Meta tweaksDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)