ipaddr.js is pinned at 1.9.1. The previous request (#23) was closed citing
ipaddr.js's "use 2.x for Node 10+, 1.x for older" policy. That rationale is
now stale:
- Node 10 reached EOL in April 2021 (~5 years ago).
- proxy-addr 2.0.0 dropped Node < 0.10 in Aug 2017; the floor is far below
what 2.x ipaddr.js requires.
- ipaddr.js 2.x is API-compatible with 1.x for proxy-addr's usage
(parse, range, match).
- 2.x ships additional reserved/special-purpose ranges (RFC7534, RFC7535,
RFC7450, RFC6666, RFC5180, 198.18.0.0/15, 2001: blocks) that are
security-relevant for trust-list matching.
- A precedent: tinyhttp/proxy-addr@f891136 (Feb 2026) dropped ipaddr.js
entirely in favour of the now-stable net.isIP + net.BlockList —
another viable direction here.
Concrete asks (in order of effort):
- Bump dep to
^2.0.0.
- Or replace with native
net.isIP + net.BlockList, like tinyhttp did.
Both eliminate the recurring FOSS-scan flag on consumers' trees.
ipaddr.js is pinned at 1.9.1. The previous request (#23) was closed citing
ipaddr.js's "use 2.x for Node 10+, 1.x for older" policy. That rationale is
now stale:
what 2.x ipaddr.js requires.
(
parse,range,match).RFC7450, RFC6666, RFC5180, 198.18.0.0/15, 2001: blocks) that are
security-relevant for trust-list matching.
entirely in favour of the now-stable
net.isIP+net.BlockList—another viable direction here.
Concrete asks (in order of effort):
^2.0.0.net.isIP+net.BlockList, like tinyhttp did.Both eliminate the recurring FOSS-scan flag on consumers' trees.