Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

能不能从新的版本中将对IP这个包的引用去除掉? #94

Closed
Harvey1976 opened this issue Jun 11, 2024 · 6 comments · Fixed by #95
Closed

能不能从新的版本中将对IP这个包的引用去除掉? #94

Harvey1976 opened this issue Jun 11, 2024 · 6 comments · Fixed by #95

Comments

@Harvey1976
Copy link

ip这个包有CVE,但是owner疏于维护,很久没有更新了

我们的产品用了egg 的框架,但是因为这个IP包的问题,在release时遇到很多麻烦。看了一下IP包的功能很单一,能否将这种依赖去掉。不要妨碍我们继续使用egg和egg-security

indutny/node-ip#144
@fengmk2
Copy link
Member

fengmk2 commented Jun 11, 2024

我了解的信息是我们并没有受这个库的安全漏洞影响。

@Harvey1976
Copy link
Author

但我看到egg-security这个项目的package.json里有ip这个package的。
ip这个库是有cve的,但是现在他们一直不release新版本,我看下来我们项目的引用树是有引用IP的。
我们是个EGG的项目,用了egg-security,所以客户在用trivy之类的东西扫描时,总是发现这个问题。

@Harvey1976
Copy link
Author

"dependencies": {
"csrf": "^3.0.6",
"delegates": "^1.0.0",
"egg-path-matching": "^1.0.0",
"escape-html": "^1.0.3",
"extend": "^3.0.1",
"ip": "^2.0.1", 《《《《《《《《《《《《《《《《《《《《 就是这个
"koa-compose": "^4.1.0",
"matcher": "^4.0.0",
"methods": "^1.1.2",
"nanoid": "^3.3.6",
"platform": "^1.3.4",
"statuses": "^2.0.1",
"type-is": "^1.6.15",
"xss": "^1.0.3"
},

@fengmk2
Copy link
Member

fengmk2 commented Jun 12, 2024

嗯,我参考 indutny/node-ip#150 换一个库看看。

@fengmk2 fengmk2 mentioned this issue Jun 12, 2024
Merged
fengmk2 added a commit to eggjs/node-ip that referenced this issue Jun 12, 2024
@fengmk2
fix: use Node.js net lib and reject malformed addresses (#1)
742b47a 
merge indutny#144

eggjs/egg-security#94

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **New Features**
- Introduced new IP validation functions: `isValid`, `normalizeStrict`,
`isValidAndPrivate`, `normalizeLax`, and `isValidAndPublic`.

- **Documentation**
- Updated README with new installation instructions, security fix note,
and license information.

- **Refactor**
- Updated IP address manipulation functions for better validation and
normalization.

- **Chores**
- Updated Node.js versions in CI workflow and upgraded GitHub Actions
dependencies.
  - Renamed package from "ip" to "@eggjs/ip" and updated relevant URLs.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
fengmk2 added a commit that referenced this issue Jun 12, 2024
@fengmk2
fix: use @eggjs/ip instead of ip
dfab0f9 
closes #94
@fengmk2 fengmk2 mentioned this issue Jun 12, 2024
Merged
fengmk2 added a commit that referenced this issue Jun 12, 2024
@fengmk2
fix: use @eggjs/ip instead of ip (#95)
5e3ee95 
closes #94
@fengmk2
Copy link
Member

fengmk2 commented Jun 12, 2024

@Harvey1976 好了

@Harvey1976
Copy link
Author

感谢

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: use @eggjs/ip instead of ip eggjs/egg-security
2 participants
@fengmk2 @Harvey1976