[email protected] rejected Risk: 28 MIT 2024-02-19

ip @2.0.1

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Repository Homepage Tarball

Risk Score

MIT

License

Install Scripts

Dependencies

Dev Dependencies

5.1 KB

Package Size

2024-02-19

Published

[![](https://badge.fury.io/js/ip.svg)](https://www.npmjs.com/package/ip)

Maintainers

bcbaileyfedor.indutnymmaleckiindutnyindexzero

Dev Dependencies (2)

Package	Constraint	Registry Status
mocha	^10.0.0	auto_approved
eslint	^8.15.0	auto_approved

Changes from v0.3.3

Dependency Changes

Script Changes

+ fix+ lint

File Changes

0 added 2 removed 3 modified size delta: -8.7 KB

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule	Source	Disposition	Author	Reason
`osv:GHSA-2p57-rm9w-gvfp`	osv	reject	AI	AI (osv): HIGH severity SSRF vulnerability with no fix available; affected range covers all versions <= 2.0.1, generalizes to every published version of this package until a patched release appears.

SAST Findings (2)

HIGH GHSA-2p57-rm9w-gvfp: ip SSRF improper categorization in isPublic osv

CVSS 8.1 (HIGH) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 28. Findings: 1 high (+25), 1 low (+3).

Commit: 3b0994a74eca Browse source

Published to npm: 2024-02-19