Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NPM IP package warning overstates danger #3537

Closed
matkoniecz opened this issue Feb 14, 2024 · 2 comments
Closed

NPM IP package warning overstates danger #3537

matkoniecz opened this issue Feb 14, 2024 · 2 comments

Comments

@matkoniecz
Copy link

See indutny/node-ip#136 (comment)

You're only vulnerable to anything remotely close to what the advisory talks about if:

You have a vulnerable version of ip in your deps
and you or your dependencies use the isPublic() function
and that function is used to guard something sensitive
and the input you pass to isPublic() is user input

Only then, you have a problem.
@dotboris
Copy link

I've opened this PR #3531 to change the advisory to better represent the actual situation.

@KateCatlin
Copy link
Collaborator

Looks like this issue was resolved in our community contributions UI, so I'll go ahead and close this issue. Thanks to both of you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@matkoniecz @dotboris @KateCatlin