The ip package last update was 2 years ago.
https://www.npmjs.com/package/ip

My problem is with puppeteer instead of react, but same issue: will really ip package be updated? I think it is not maintained anymore...

from cli.

FYI there is now a 1.1.9 and 2.0.1.

However the CVE needs to be updated to allow the 1.1.9 release to be seen as a valid fix:
github/advisory-database#3553

from cli.

yeah .. I just wanted to point out that this release now exists and that people might still see dependabot etc complain until the CVE is updated.

from cli.

anyone find any workaround pls share here, thanks!

there's no workaround, the library needs to be either patched or replaced

from cli.

FYI, the only affected command is profile-hermes when producing source maps. If you're not using it on a server (e.g. your CI), you're safe to ignore this and wait for us to patch it once we have a proper solution. If you are using it however, please disable it temporarily.

from cli.

@azmainamin it should be enough to regenerate the lockfile entry for this package in your project, now that github/advisory-database#3553 is merged

from cli.

Thanks, i'm facing the same issue.

from cli.

hey @taylorjdawson, thanks for reporting! I've just created #2295 bumping ip package 👍

from cli.

@szymonrybczak does that fix it though? The issue I believe is with the latest version of the ip package.

from cli.

@taylorjdawson ah, right. I wrongly looked and I thought it was <1.1.18, let's see if maintainers will release a patch fix.

from cli.

so im not only one who faced that problem :/
anyone found an fix to this? i need to complete the tasks real bad lol

from cli.

seems like this upstreams to the latest version of react-native

from cli.

Hey, I'm facing the same issue, Should I downgrade my @react-native-community/cli package version to a certain one so it will not be affected by the latest upgrade?

this is the 'npm audit' result:

npm audit report

ip <=1.1.8
Severity: high
NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks - GHSA-78xj-cgh5-2h22
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/ip
@react-native-community/cli-doctor *
Depends on vulnerable versions of ip
node_modules/@react-native-community/cli-doctor
@react-native-community/cli >=4.13.0
Depends on vulnerable versions of @react-native-community/cli-doctor
Depends on vulnerable versions of @react-native-community/cli-hermes
node_modules/@react-native-community/cli
react-native <=0.0.0-ffdfbbec0 || >=0.69.0-rc.0
Depends on vulnerable versions of @react-native-community/cli
node_modules/react-native
react-native-pie-chart >=3.0.0
Depends on vulnerable versions of react-native
node_modules/react-native-pie-chart
@react-native-community/cli-hermes *
Depends on vulnerable versions of ip
node_modules/@react-native-community/cli-hermes

thank you in advance

from cli.

anyone find any workaround pls share here, thanks!

from cli.

same error here

from cli.

The PR is opened here and should probably be merged soon.

from cli.

The PR is opened here and should probably be merged soon.

I wouldn't count on it to be merged soon... I've seen a lot of depended libraries moving away from ip lib. I think @taylorjdawson proposal is very sound

from cli.

anyone find any workaround pls share here, thanks!

there's no workaround, the library needs to be either patched or replaced

i have tried patched the ip library. But still not work for me

from cli.

1.1.9 is within the semver range so refreshing the lock file should be enough. Additionally we merged #2299 (which drops the dependency on ip offering an alternative) which we intend to backport to RN 0.72 and 0.71 – although with the fix being within the semver range, I'm not sure if that's gonna be necessary and will leave that to the RN release crew to decide.

from cli.

Thanks for doing that @lsmith77

from cli.

If using React Native version 0.68.2. How can we get the patch/fix?

from cli.