Core: Replace ip package with internal-ip to address security concerns
#26025
Conversation
The 'ip' package has been switched out for 'internal-ip' (with identical functionality coverage) because of the high-level security vulnerability in the former. The change is done at the consuming utility function and the corresponding test cases.
|
New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
🚮 Removed packages: npm/@types/ip@1.1.3 |
valentinpalkovic
added
ci:normal
patch:yes
|
|
Replacing the static import with a dynamic one inside the 'beforeEach' hook should ensure that the new IP address utility is fully loaded before running the tests.
|
@valentinpalkovic I have updated the lib tests and they seem to pass successfully in CI/CD env: 
But the suite for 
Do you have any hints on what could I do with that to make it pass? |
|
Sorry if I wasn’t precise enough. I meant to change the actual implementation instead of the test. As you can see, sandboxes cannot be generated because of the ESM issue. |
The 'internal-ip' ESM module is now imported asynchronously within the 'getServerAddresses' function, rather than statically at the beginning of the script. That's necessary to comply with CommonJS output support flow.
The 'getServerAddresses' function was updated to perform an asynchronous operation. That requires some tweaks in consuming code, including the tests.
…orio/storybook into pr/fyodorio/26025
|
@valentinpalkovic thanks a lot for the Midas touch, I got pretty confused tbh 👍😅 |
|
Hehe. :) I have pushed another commit. Let's see whether we get CI finally green. |
|
@fyodorio Thank you so much for your contribution so far! |
valentinpalkovic
changed the title
ip package with internal-ip to address security concernsip package with internal-ip to address security concerns
|
Great to see this is fixed. Is there any ETA for this MR? |
|
It’s planned for tomorrow to do some final testing, get it merged, and patched back to 7.6. |
|
During tests, I stumbling upon an issue where actually the internal address wasn't returned. With
With
An issue has already been reported: sindresorhus/internal-ip#48, but it's from June 2023. I don't think, that the maintainers of So we have three possibilities: a) We downgrade @fyodorio WDYT? cc @shilman |
|
Fork SGTM @valentinpalkovic -- are there any other packages that are better maintained? |
|
Maybe using ip-address like socks? |
|
Hi guys, I was reviewing the I wouldn't go for a fork either, just for a single method. What about just implementing that as a new utility function inside WDYT? If you support that, I would try to come up with a suggestion during the weekend. |
|
@cosieLq cool, looks reasonable, I'd only suggest to add the proper test coverage using one of existing functions there as an example — also if there are (should be, I believe) tests for the corresponding methods in |
|
@fyodorio thank you for your suggestion. I've added a unit test to |
This comment was marked as off-topic.
This comment was marked as off-topic.
Closes #26014
What I did
The
ippackage has been switched out forinternal-ip(with identical functionality coverage) because of the high-level security vulnerability in the former. The change is done at the consuming utility function and the corresponding test cases.My research shown that the
internal-ippackage by @sindresorhus provides sufficiently identical (toip.address()) functionality via theinternalIpV4Sync()function. So the suggestion is to go with this package further on instead of the poorly maintained (and vulnerable, see the linked issue details)ippackage.Checklist for Contributors
Testing
The changes in this PR are covered in the following automated tests:
Manual testing
This section is mandatory for all contributions. If you believe no manual test is necessary, please state so explicitly. Thanks!
Documentation
MIGRATION.MD
Checklist for Maintainers
When this PR is ready for testing, make sure to add
ci:normal,ci:mergedorci:dailyGH label to it to run a specific set of sandboxes. The particular set of sandboxes can be found incode/lib/cli/src/sandbox-templates.tsMake sure this PR contains one of the labels below:
Available labels
bug: Internal changes that fixes incorrect behavior.maintenance: User-facing maintenance tasks.dependencies: Upgrading (sometimes downgrading) dependencies.build: Internal-facing build tooling & test updates. Will not show up in release changelog.cleanup: Minor cleanup style change. Will not show up in release changelog.documentation: Documentation only changes. Will not show up in release changelog.feature request: Introducing a new feature.BREAKING CHANGE: Changes that break compatibility in some way with current major version.other: Changes that don't fit in the above categories.🦋 Canary release
This pull request has been released as version
0.0.0-pr-26025-sha-9ddb0c81. Try it out in a new sandbox by runningnpx storybook@0.0.0-pr-26025-sha-9ddb0c81 sandboxor in an existing project withnpx storybook@0.0.0-pr-26025-sha-9ddb0c81 upgrade.More information
0.0.0-pr-26025-sha-9ddb0c81fyodorio/26014-fix-ip-vulnerability9ddb0c811708001629)To request a new release of this pull request, mention the
@storybookjs/coreteam.core team members can create a new canary release here or locally with
gh workflow run --repo storybookjs/storybook canary-release-pr.yml --field pr=26025