Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add nsprc file to npm-audit with expiration for ip vulnerability (#1056)
### Feature or Bugfix - Bugfix ### Detail - Add `.nsprc` file for ignored vulnerabilities in `better-npm-audit`. - Added `ip` package to ignored vulnerabilities with expiration 2024/02/28: https://www.cve.org/CVERecord?id=CVE-2023-42282 The vulnerability found in `ip` affects us because we use the `react-native-community/cli` package. In this package repository an [issue reporting the vulnerabilty](react-native-community/cli#2294) was already raised. Update: `ip` team is working on a fix: indutny/node-ip#138 ### Relates - https://www.cve.org/CVERecord?id=CVE-2023-42282 ### Security Please answer the questions below briefly where applicable, or write `N/A`. Based on [OWASP 10](https://owasp.org/Top10/en/). - Does this PR introduce or modify any input fields or queries - this includes fetching data from storage outside the application (e.g. a database, an S3 bucket)? - Is the input sanitized? - What precautions are you taking before deserializing the data you consume? - Is injection prevented by parametrizing queries? - Have you ensured no `eval` or similar functions are used? - Does this PR introduce any functionality or component that requires authorization? - How have you ensured it respects the existing AuthN/AuthZ mechanisms? - Are you logging failed auth attempts? - Are you using or adding any cryptographic features? - Do you use a standard proven implementations? - Are the used keys controlled by the customer? Where are they stored? - Are you introducing any new policies/roles/users? - Have you used the least-privilege principle? How? By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
- Loading branch information