Newest lts version of 20.11.1 will install `ip` package of version 2.0.0 which has some security issues by default

[lo-tp]

Details

When installing node of version v20.11.1, it will automatically install ip of 2.0.0 in usr/local/lib/node_modules/npm/node_modules/ip/ which could be maliciously exploited. Check NVD - CVE-2023-42282 for the detail about this vulnerability. Could we release a new version to update the ip package version to 2.0.1 to fix the above security issue?

Node.js version

20.11.1

Example code

No response

Operating system

• Mac OSX
• Linux

Scope

• installation
• runtime

Module and version

Not applicable.

[smorehouse]

Looking for this fix also!

[valentin-nasta]

I have the same issue, current workaround is: npm install -g npm@10.5.0

[e55o]

@valentin-nasta how did you solve it, in which step of your docker image you updated the npm version?

[valentin-nasta]

@e55o right after the FROM tag, like in the following block:

FROM node:20-alpine3.19
# Handle CVE-2023-42282
RUN npm install -g npm@10.5.0

[e55o]

@valentin-nasta I was just asking because my corporate security tools also detected a different vulnerability in npm version 10.5.0, thank you anyways!

[valentin-nasta]

@e55o what vulnerability in that npm version was detected, please share if you can :)

[e55o]

@valentin-nasta unfortunately, i don't have access to these tools to check the exact vulnerability for you :/

[GuusDeGraeve]

https://nvd.nist.gov/vuln/detail/CVE-2023-42282

It has been scored as critical.

@valentin-nasta / @e55o

[RedYetiDev]

@nodejs/npm

[wraithgar]

@RedYetiDev updating npm in older node versions is something the nodejs folks do.

[richardlau]

This was fixed in npm@10.5.0 which was included in Node.js 20.12.0.

[RedYetiDev]

@RedYetiDev updating npm in older node versions is something the nodejs folks do.

My apologies! Next time I'll tag a nodejs LTS member.