search

webtorrent / bittorrent-dht

🕸 Simple, robust, BitTorrent DHT implementation
https://webtorrent.io
MIT License
1.23k stars 203 forks source link

chore(deps): update dependency ip to v1.1.9 [security] #300

Closed renovate[bot] closed 2 months ago

renovate[bot] commented 9 months ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
ip 1.1.8 -> 1.1.9 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-42282

The isPublic() function in the NPM package ip doesn't correctly identify certain private IP addresses in uncommon formats such as 0x7F.1 as private. Instead, it reports them as public by returning true. This can lead to security issues such as Server-Side Request Forgery (SSRF) if isPublic() is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.

Release Notes

indutny/node-ip (ip) ### [`v1.1.9`](https://togithub.com/indutny/node-ip/compare/v1.1.8...v1.1.9) [Compare Source](https://togithub.com/indutny/node-ip/compare/v1.1.8...v1.1.9)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

â™» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR was generated by Mend Renovate. View the repository job log.

socket-security[bot] commented 9 months ago

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/ip@1.1.9 None 0 15.5 kB indutny

🚮 Removed packages: npm/ip@1.1.8)

View full report↗︎