-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nodejs using vulnerable package for ip #51848
Comments
If you use |
Yes agree with you its a very long chain. Lets see what we can do as it should be fixed. |
Or, it seems npm CLI is only using |
Discussion on this issue in npm repo - npm/cli#7216 |
I think we should move this to https://github.com/nodejs/nodejs-dependency-vuln-assessments. Any concerns with moving it there? |
This is causing some issues with our security scanner. We might need to delete the dependency as part of the build process until it's fixed in the base images. using base image |
How did you manage to remove it? |
when do we have a fix on Node version 20 ? ip is still referencing 2.0.0 |
Version
v21.6.2
Platform
Linux 3aa06663b056 6.6.12-linuxkit #1 SMP PREEMPT_DYNAMIC Tue Jan 30 09:48:40 UTC 2024 x86_64 Linux
Subsystem
ip
What steps will reproduce the bug?
Build container image with node version v21.6.2 and scan it using any image scanning tool available.
It will report the medium severity vulnerability in ip package which is bundled as deps for nodejs here: https://github.com/nodejs/node/blob/main/deps/npm/node_modules/ip/package.json
You can also find the more information about this vulnerability here: GHSA-78xj-cgh5-2h22
How often does it reproduce? Is there a required condition?
No response
What is the expected behavior? Why is that the expected behavior?
You should change the ip package version to 2.0.1.
What do you see instead?
Medium Severity Vulnerability
Additional information
No response
The text was updated successfully, but these errors were encountered: