dancefinder/dancefinder-app
5
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Activity

Build(deps): [security] bump ip from 2.0.0 to 2.0.1 #1714

Merged
argoyle merged 1 commits from dependabot-npm_and_yarn-ip-2.0.1 into main 2024-02-20 14:55:55 +00:00
Conversation 0 Commits 1 Files Changed 1
+3 -3
argoyle commented 2024-02-20 04:40:21 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

Bumps ip from 2.0.0 to 2.0.1. This update includes a security fix.

Vulnerabilities fixed

NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks An issue in all published versions of the NPM package ip allows an attacker to execute arbitrary code and obtain sensitive information via the isPublic() function. This can lead to potential Server-Side Request Forgery (SSRF) attacks. The core issue is the function's failure to accurately distinguish between public and private IP addresses.

Patched versions: none Affected versions: <= 2.0.0

Commits

Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts
Bumps [ip](https://github.com/indutny/node-ip) from 2.0.0 to 2.0.1. **This update includes a security fix.** <details> <summary>Vulnerabilities fixed</summary> <blockquote> <p><strong>NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks</strong> An issue in all published versions of the NPM package <code>ip</code> allows an attacker to execute arbitrary code and obtain sensitive information via the <code>isPublic()</code> function. This can lead to potential Server-Side Request Forgery (SSRF) attacks. The core issue is the function's failure to accurately distinguish between public and private IP addresses.</p> <p>Patched versions: none Affected versions: &lt;= 2.0.0</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/indutny/node-ip/commit/3b0994a74eca51df01f08c40d6a65ba0e1845d04"><code>3b0994a</code></a> 2.0.1</li> <li><a href="https://github.com/indutny/node-ip/commit/32f468f1245574785ec080705737a579be1223aa"><code>32f468f</code></a> lib: fixed CVE-2023-42282 and added unit test</li> <li>See full diff in <a href="https://github.com/indutny/node-ip/compare/v2.0.0...v2.0.1">compare view</a></li> </ul> </details> <br /> --- <details> <summary>Dependabot commands</summary> <br /> You can trigger Dependabot actions by commenting on this MR - `$dependabot recreate` will recreate this MR rewriting all the manual changes and resolving conflicts </details>
argoyle (Migrated from gitlab.com) merged commit into main 2024-02-20 14:55:55 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
dependencies
Pull requests that update a dependency file
 docker
javascript
security
Pull requests that address a security vulnerability
 severity:critical
severity:high
severity:low
severity:moderate
No Label dependencies javascript security severity:high
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) releaser (Unbound Releaser) renovate (Renovate Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dancefinder/dancefinder-app#1714
Delete Branch "dependabot-npm_and_yarn-ip-2.0.1"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?