fix: replace ip dependency due to security bug CVE-2024-29415

.changeset/lemon-suns-sneeze.md

@@ -0,0 +1,8 @@
+---
+'@web/test-runner-browserstack': patch
+'@web/test-runner-saucelabs': patch
+'@web/test-runner-core': patch
+'@web/dev-server': patch
+---
+
+replace ip dependency due to security bug CVE-2024-29415

packages/dev-server/package.json

@@ -65,7 +65,7 @@
     "command-line-usage": "^7.0.1",
     "debounce": "^1.2.0",
     "deepmerge": "^4.2.2",
-    "ip": "^2.0.1",
+    "internal-ip": "^7.0.0",
     "nanocolors": "^0.2.1",
     "open": "^8.0.2",
     "portfinder": "^1.0.32"

packages/dev-server/src/logger/logStartMessage.ts

@@ -1,14 +1,14 @@
 import { DevServerConfig } from '../config/DevServerConfig';
 import { Logger } from '@web/dev-server-core';
-import ip from 'ip';
+import { internalIpV4Sync } from 'internal-ip';
 import { bold, cyan, white } from 'nanocolors';
 
 const createAddress = (config: DevServerConfig, host: string, path: string) =>
   `http${config.http2 ? 's' : ''}://${host}:${config.port}${path}`;
 
 function logNetworkAddress(config: DevServerConfig, logger: Logger, openPath: string) {
   try {
-    const address = ip.address();
+    const address = internalIpV4Sync();
     if (typeof address === 'string') {
       logger.log(`${white('Network:')}  ${cyan(createAddress(config, address, openPath))}`);
     }

packages/test-runner-browserstack/package.json

@@ -48,7 +48,7 @@
   "dependencies": {
     "@web/test-runner-webdriver": "^0.8.0",
     "browserstack-local": "^1.4.8",
-    "ip": "^2.0.1",
+    "internal-ip": "^7.0.0",
     "nanoid": "^3.1.25"
   },
   "devDependencies": {

packages/test-runner-browserstack/src/browserstackLauncher.ts

@@ -1,7 +1,7 @@
 import { BrowserLauncher, TestRunnerCoreConfig } from '@web/test-runner-core';
 import { WebdriverLauncher } from '@web/test-runner-webdriver';
 import browserstack from 'browserstack-local';
-import ip from 'ip';
+import { internalIpV4Sync } from 'internal-ip';
 import {
   registerBrowserstackLocal,
   unregisterBrowserstackLocal,
@@ -14,7 +14,7 @@ export interface BrowserstackLauncherArgs {
 }
 
 const REQUIRED_CAPABILITIES = ['name', 'browserstack.user', 'browserstack.key', 'project', 'build'];
-const localIp = ip.address();
+const localIp = internalIpV4Sync() || '0.0.0.0';
 
 export class BrowserstackLauncher extends WebdriverLauncher {
   constructor(

packages/test-runner-core/package.json

@@ -68,7 +68,7 @@
     "debounce": "^1.2.0",
     "dependency-graph": "^0.11.0",
     "globby": "^11.0.1",
-    "ip": "^2.0.1",
+    "internal-ip": "^7.0.0",
     "istanbul-lib-coverage": "^3.0.0",
     "istanbul-lib-report": "^3.0.1",
     "istanbul-reports": "^3.0.2",

packages/test-runner-core/src/cli/getManualDebugMenu.ts

@@ -1,11 +1,11 @@
 import { cyan, gray } from 'nanocolors';
-import ip from 'ip';
+import { internalIpV4Sync } from 'internal-ip';
 
 import { TestRunnerCoreConfig } from '../config/TestRunnerCoreConfig';
 
 export function getManualDebugMenu(config: TestRunnerCoreConfig): string[] {
   const localAddress = `${config.protocol}//${config.hostname}:${config.port}/`;
-  const networkAddress = `${config.protocol}//${ip.address()}:${config.port}/`;
+  const networkAddress = `${config.protocol}//${internalIpV4Sync()}:${config.port}/`;
 
   return [
     'Debug manually in a browser not controlled by the test runner.',

packages/test-runner-saucelabs/package.json

@@ -47,7 +47,7 @@
   ],
   "dependencies": {
     "@web/test-runner-webdriver": "^0.8.0",
-    "ip": "^2.0.1",
+    "internal-ip": "^7.0.0",
     "nanoid": "^3.1.25",
     "saucelabs": "^7.2.0",
     "webdriver": "^8.8.6",

packages/test-runner-saucelabs/src/SauceLabsLauncher.ts

@@ -1,10 +1,10 @@
 import { TestRunnerCoreConfig } from '@web/test-runner-core';
 import { RemoteOptions } from 'webdriverio';
 import { WebdriverLauncher } from '@web/test-runner-webdriver';
-import ip from 'ip';
+import { internalIpV4Sync } from 'internal-ip';
 import { SauceLabsLauncherManager } from './SauceLabsLauncherManager.js';
 
-const networkAddress = ip.address();
+const localIp = internalIpV4Sync() || '0.0.0.0';
 
 export class SauceLabsLauncher extends WebdriverLauncher {
   constructor(
@@ -16,7 +16,7 @@ export class SauceLabsLauncher extends WebdriverLauncher {
   }
 
   startSession(sessionId: string, url: string) {
-    return super.startSession(sessionId, url.replace(/(localhost|127\.0\.0\.1)/, networkAddress));
+    return super.startSession(sessionId, url.replace(/(localhost|127\.0\.0\.1)/, localIp));
   }
 
   async startDebugSession() {

packages/test-runner-saucelabs/src/SauceLabsLauncherManager.ts

@@ -4,7 +4,7 @@ import SaucelabsAPI, {
   SauceConnectOptions,
   SauceConnectInstance,
 } from 'saucelabs';
-import ip from 'ip';
+import { internalIpV4Sync } from 'internal-ip';
 
 /**
  * Wraps a Promise with a timeout, rejecing the promise with the timeout.
@@ -53,7 +53,7 @@ export class SauceLabsLauncherManager {
     this.connectionPromise = withTimeout(
       this.api.startSauceConnect({
         ...this.connectOptions,
-        noSslBumpDomains: `127.0.0.1,localhost,${ip.address()}`,
+        noSslBumpDomains: `127.0.0.1,localhost,${internalIpV4Sync()}`,
       }),
       '[Saucelabs] Timed out setting up Sauce Connect proxy after 5 minutes.',
     );