Use @versatica/sctp fork to fix npm audit vulnerability

[ibc]

Details

• I've forked NPM ip package (see https://github.com/versatica/node-ip), removed public API affected by the vulnerability and published version 3.0.0 under @versatica NPM organization.
• I've forked NPM sctp package(see https://github.com/versatica/node-sctp), updated deps and (of course) replace ip with @versativa/ip dependency, and published version 1.1.0 under @versatica NPM organization.
• And of course I've replaced sctp with @versativa/sctp in mediasoup, so now npm audit is ok.

Before

$ npm install mediasoup

[...]

added 2 packages, removed 2 packages, changed 1 package, and audited 500 packages in 4s

106 packages are looking for funding
  run `npm fund` for details

2 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

After

$ npm install mediasoup

[...]

up to date, audited 500 packages in 4s

106 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

[nazar-pc]

According to comments in the original repo ip could be replaced with https://www.npmjs.com/package/ip-address
For sctp worth contacting the author (I see they had some activity on GitHub months ago), maybe they'll be open to transfer ownership and maintenance to this organization.

[ibc]

According to comments in the original repo ip could be replaced with https://www.npmjs.com/package/ip-address For sctp worth contacting the author (I see they had some activity on GitHub months ago), maybe they'll be open to transfer ownership and maintenance to this organization.

ip-address doesn't provide with the needed API. sctp library uses toBuffer() and toString() functions exposed by ip library and those are not present in ip-address (I checked the whole library).

Honestly I don't want to spend too much time on this topic. We only use sctp library in mediasoup for tests. I'm fine with contacting the author in next year but honestly I don't want to become maintainer of sctp library.

[jmillan]

I'm not getting that info:

$ npm install mediasoup

added 64 packages in 6s

21 packages are looking for funding
  run `npm fund` for details

sctp is a devDependency which means it only installs for local development. Is it worth it forking two packages for this?

[ibc]

sctp is a devDependency which means it only installs for local development.

Ok, things may have changed. In the past npm install xxx installed dev deps by default.

Is it worth it forking two packages for this?

The thing is that I did it already.

[jmillan]

The thing is that I did it already.

Do you want to keep 2 forks for a warning that only happens in local (just applies to a tests) and that is perfectly known?

$ npm audit
# npm audit report

ip  *
Severity: high
ip SSRF improper categorization in isPublic - https://github.com/advisories/GHSA-2p57-rm9w-gvfp
No fix available
node_modules/ip
  sctp  *
  Depends on vulnerable versions of ip
  node_modules/sctp

2 high severity vulnerabilities

If you want this, I'll approve it, but IMO it makes no much sense.

[jmillan]

If you don't want to loose the work totally, you can put the pickport module under @versatica

[ibc]

Ok, I'm closing this because it was not as important as I thought based on #1472 (comment)

[nazar-pc]

I don't want to become maintainer of sctp library.

But you literally forked the library and will effectively have to maintain it anyway 🙃
Well, I guess not anymore.