Add nsprc file to npm-audit with expiration for ip vulnerability #1056
Conversation
|
Hi @dlpzx , The node-ip library seems to be unmaintained - the last commit is from 2 years ago and vulnerability was published after the maintainer haven't responded within 90 days We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an ip 1.1.8-sp and 2.0.0-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free. If relevant, check out our GitHub repo if you wish to learn more, or start using our app. Please feel free to reach us at [email protected] if you have any requests/questions. |
|
Hi @levpachmanov, thank you for reaching out :) We are keeping an eye on |
### Feature or Bugfix - Bugfix ### Detail There is a new vulnerability found in the package `ip`. Similar to the one that we faced a couple of months ago (check this [PR](#1056)). In fact the CVE opened now is the result of the old vulnerability being only partially fixed. There is not a fixed version and there are no PRs open in the original repo. There is not much activity happening in this repository, so a fix might take some time. At the same time, we do not use this package directly, it is a sub-dependency from react-native packages. Since `node_modules/@react-native-community/cli` version: 13.6.6, does not use `ip`, the easiest way for us to avoid this issue is to upgrade react-native packages. In addition, this PR removes an expired ignore for npm-audit. ### Relates - #1056 ### Security Please answer the questions below briefly where applicable, or write `N/A`. Based on [OWASP 10](https://owasp.org/Top10/en/). - Does this PR introduce or modify any input fields or queries - this includes fetching data from storage outside the application (e.g. a database, an S3 bucket)? - Is the input sanitized? - What precautions are you taking before deserializing the data you consume? - Is injection prevented by parametrizing queries? - Have you ensured no `eval` or similar functions are used? - Does this PR introduce any functionality or component that requires authorization? - How have you ensured it respects the existing AuthN/AuthZ mechanisms? - Are you logging failed auth attempts? - Are you using or adding any cryptographic features? - Do you use a standard proven implementations? - Are the used keys controlled by the customer? Where are they stored? - Are you introducing any new policies/roles/users? - Have you used the least-privilege principle? How? By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Feature or Bugfix
Detail
.nsprcfile for ignored vulnerabilities inbetter-npm-audit.ippackage to ignored vulnerabilities with expiration 2024/02/28: https://www.cve.org/CVERecord?id=CVE-2023-42282The vulnerability found in
ipaffects us because we use thereact-native-community/clipackage. In this package repository an issue reporting the vulnerabilty was already raised.Update:
ipteam is working on a fix: indutny/node-ip#138Relates
Security
Please answer the questions below briefly where applicable, or write
N/A. Based onOWASP 10.
fetching data from storage outside the application (e.g. a database, an S3 bucket)?
evalor similar functions are used?By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.