help Newest lts version of 20.11.1 will install `ip` package of version 2.0.0 which has some security issues by default

Newest lts version of 20.11.1 will install `ip` package of version 2.0.0 which has some security issues by default

Open lo-tp opened this issue 11 months ago • 8 comments

Details

When installing node of version v20.11.1, it will automatically install ip of 2.0.0 in usr/local/lib/node_modules/npm/node_modules/ip/ which could be maliciously exploited. Check NVD - CVE-2023-42282 for the detail about this vulnerability. Could we release a new version to update the ip package version to 2.0.1 to fix the above security issue?

Node.js version

20.11.1

Example code

No response

Operating system

Mac OSX
Linux

Scope

installation
runtime

Module and version

Not applicable.

Mar 11 '24 09:03 lo-tp

help help copied to clipboard

Newest lts version of 20.11.1 will install `ip` package of version 2.0.0 which has some security issues by default

Details

Node.js version

Example code

Operating system

Scope

Module and version

help
help copied to clipboard