fix: replace vulnerable ip package with ipaddr.js + node built-ins

ip had a high severity SSRF vuln (GHSA-2p57-rm9w-gvfp) with no upstream fix. Replace with: - net.isIPv4/isIPv6 (Node built-in) for format validation - ipaddr.js for CIDR subnet matching Add package-lock.json for reproducible builds (required for npm ci). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-20 15:45:04 +00:00
parent 09124b10b9
commit 20c6f5ead7
3 changed files with 826 additions and 5 deletions
--- a/dashboard/package.json
+++ b/dashboard/package.json
@@ -12,7 +12,7 @@
  "dependencies": {
    "dotenv": "*",
    "express": "*",
-    "ip": "*",
+    "ipaddr.js": "*",
    "node-fetch": "^2"
  }
 }