Update dependency ip to v1.1.9 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
ip	1.1.8 → 1.1.9

---

NPM IP package incorrectly identifies some private IP addresses as public

CVE-2023-42282 / GHSA-78xj-cgh5-2h22

More information

Details

The isPublic() function in the NPM package ip doesn't correctly identify certain private IP addresses in uncommon formats such as 0x7F.1 as private. Instead, it reports them as public by returning true. This can lead to security issues such as Server-Side Request Forgery (SSRF) if isPublic() is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.

Severity

Low

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-42282
• https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html
• https://github.com/JoshGlazebrook/socks/issues/93#issue-2128357447
• https://github.com/github/advisory-database/pull/3504#issuecomment-1937179999
• https://github.com/indutny/node-ip/pull/138
• https://github.com/indutny/node-ip/commit/32f468f1245574785ec080705737a579be1223aa
• https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894
• https://github.com/advisories/GHSA-78xj-cgh5-2h22

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

indutny/node-ip (ip)

v1.1.9

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.