Advisory GHSA-8p33-q827-ghj5

[rfrench]

Hi, I’m using dssrf@1.0.3 and noticed that GitHub/npm audit still flags GHSA-8p33-q827-ghj5:

dssrf: every IPv6 category bypasses is_url_safe
affected range: <1.3.0

While I'm not positive, it seems like the issue was resolved with version 1.0.3, but the advisory lists 1.3.0 as the patched version. Could you confirm which version actually fixed GHSA-8p33-q827-ghj5? If 1.0.3 is already patched, would you be able to update the GitHub Security Advisory affected range / patched version so downstream npm audit stop producing a false positive?

[HackingRepo]

thank's for that feedback there a problems

[HackingRepo]

recheck again @rfrench ?

[rfrench]

Looks the same for me:

$ npm install dssrf@latest

up to date, audited 320 packages in 804ms

75 packages are looking for funding
  run `npm fund` for details

3 vulnerabilities (2 moderate, 1 high)

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

$ npm audit report        

dssrf  *
Severity: high
dssrf: every IPv6 category bypasses is_url_safe - https://github.com/advisories/GHSA-8p33-q827-ghj5
Depends on vulnerable versions of ip-cidr
No fix available
node_modules/dssrf

ip-address  <=10.1.0
Severity: moderate
ip-address has XSS in Address6 HTML-emitting methods - https://github.com/advisories/GHSA-v2v4-37r5-5v8g
No fix available
node_modules/ip-address
  ip-cidr  *
  Depends on vulnerable versions of ip-address
  node_modules/ip-cidr

3 vulnerabilities (2 moderate, 1 high)

Some issues need review, and may require choosing
a different dependency.

$ npm ls ip-address
<redacted>@2.0.0 /redacted
└─┬ dssrf@1.0.3
  └─┬ ip-cidr@4.0.2
    └── ip-address@9.0.5

[HackingRepo]

interesting maybe will take a while to that progates i just updated the github advisory

[HackingRepo]

when i have time i will debug why