werift library has high severity issue due to 3rd party package #412
Comments
|
that is a nonsense issue and can be ignored. there's been a lot of discussion about this elsewhere. |
|
Maybe, maybe not, but we should look for ways to mitigate things like this. Given CVE has marked it as high severity and that hasn't changed, docker scout also does the same. Also, ip package appears un-maintained, so it would be prudent to look at moving away from the reliance on the package |
|
The project is maintained. It's also complete. ip parsing is a solved problem. there is no need for further updates. The issue here is pay per vulnerability hunting incentivizing bogus reports. |
|
Veery much unmaintained by the various comments and threads around. The current high-serv has been raised due to ip v2.0.1 NOT resolving the issue |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The source uses the ip library which has known high severity issues with no current fix in place by the package maintainers. see indutny/node-ip#150
This needs to be addressed here, but finding alternate replacement library or code around the requirement
The text was updated successfully, but these errors were encountered: