Upgrade package ip

[ramondeklein]

NPM package auditing resulted in the following message:

└─ ip
   ├─ ID: 1097346
   ├─ Issue: ip SSRF improper categorization in isPublic
   ├─ URL: https://github.com/advisories/GHSA-2p57-rm9w-gvfp
   ├─ Severity: high
   ├─ Vulnerable Versions: <=2.0.1
   │ 
   ├─ Tree Versions
   │  └─ 2.0.1
   │ 
   └─ Dependents
      └─ web-app@workspace:.

The ip NPM package has a known security issue and needs to be upgraded. Once the package is upgraded then the line --ignore '1097346' can be removed from the ui.yaml workflow.

[ramondeklein]

There is no updated version available yet.

[cesnietor]

context: indutny/node-ip#150

[msummers42]

Came across this as a consumer of this package and a user of minio. It appears the upstream has archived the repo. We are considering moving to this fork https://github.com/eggjs/node-ip as we evaluate usage. It's tricky due to the sheer number of dependent projects.

[ramondeklein]

@msummers42 Thanks for mentioning that https://github.com/indutny/node-ip is now archived. It looks like our repo isn't affected by the security issue, but relying on an archived package is never a good idea.

@cesnietor I think we should check what exactly depends on this package and how to fix that.

[pjuarezd]

now that Operatoe console is deprecated we no longer need to upgrade the ip package