Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request for patched npm version to address ip package vulnerability (CVE-2023-42282) #7235

Closed
Soumalya-Github opened this issue Feb 20, 2024 · 2 comments
Closed

Request for patched npm version to address ip package vulnerability (CVE-2023-42282) #7235

Soumalya-Github opened this issue Feb 20, 2024 · 2 comments

Comments

@Soumalya-Github
Copy link

Soumalya-Github commented Feb 20, 2024
edited
Loading

Last week, CVE 2023 42282 was reported for versions up to 2.0.0 of the NPM package ip. As this package, along with its parent dependencies, is bundled with npm, we are unable to directly update them within our project. Despite attempting to upgrade to the latest npm version 10.4.0, the project still references the vulnerable version of the ip package.

image

Moreover, ip has just recently released version 2.0.1 containing the necessary fix for the vulnerability. So, are there are any plans to release a patched version of npm, in versions 9 or 10, to align with the latest secure version of the ip package ?
@nam-nguyen-clv
Copy link

nam-nguyen-clv commented Feb 20, 2024
edited
Loading

Already have a duplicated issues here #7223, #7216

@ljharb
Copy link
Contributor

ljharb commented Feb 20, 2024

Duplicate of #7216.

@ljharb ljharb closed this as not planned Won't fix, can't repro, duplicate, stale Feb 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ljharb @Soumalya-Github @nam-nguyen-clv