Skip to content

fix: move static function from ip to the parse-udp module#550

Open
fabianbormann wants to merge 1 commit intowebtorrent:masterfrom
fabianbormann:fix/remove_ip_dependency
Open

fix: move static function from ip to the parse-udp module#550
fabianbormann wants to merge 1 commit intowebtorrent:masterfrom
fabianbormann:fix/remove_ip_dependency

Conversation

@fabianbormann
Copy link

@fabianbormann fabianbormann commented Apr 26, 2025

What is the purpose of this pull request? (put an "X" next to item)

[ ] Documentation update
[ ] Bug fix
[ ] New feature
[X] Other, please explain:

For the past year, there has been a vulnerability in the less/not maintained node-ip package. While the vulnerability doesn't affect bittorrent-tracker directly, it still results in a 1 high severity vulnerability warning after running npm i on this project or any other project that has bittorrent-tracker as a dependency. This creates a negative impression from a customer perspective or during code audits.

What changes did you make? (Give an overview)

This repository only uses a single static function from the node-ip package, which is unmaintained but available under the MIT license. I copied this static function directly into the parse-udp module and removed the node-ip dependency entirely.

I ran the tests, which show:

1..557
# tests 557
# pass  557

# ok

Additionally, npm i now shows found 0 vulnerabilities after running the command.

@socket-security
Copy link

socket-security bot commented Apr 26, 2025
edited
Loading

No dependency changes detected. Learn more about Socket for GitHub.

👍 No dependency changes detected in pull request

@fabianbormann
Copy link
Author

fabianbormann commented May 4, 2025

@DiegoRBaquero, are you the right person to review this PR? If not, could you please involve someone else who could take a look at it? Thanks! 😊

@github-actions
Copy link

github-actions bot commented Jul 3, 2025

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

@github-actions github-actions bot added the stale label Jul 3, 2025
@github-actions github-actions bot closed this Jul 10, 2025
@fabianbormann
Copy link
Author

fabianbormann commented Jul 10, 2025

Please re-open the PR

@subins2000
Copy link
Contributor

subins2000 commented Sep 5, 2025

This should be re-opened. It's a good change, I noticed the high severity warning as well

@SilentBot1 SilentBot1 reopened this Sep 5, 2025
@SilentBot1 SilentBot1 enabled auto-merge (squash) September 5, 2025 17:51
@github-actions github-actions bot removed the stale label Sep 6, 2025
@crass
Copy link

crass commented Oct 27, 2025

@fabianbormann I suggest that the commit message be more verbose as to exactly what is happening here. I think you could copy what is in the description above (removing the "For the past year,").

@ThaUnknown I've tested that the issue is real and that this fixes it. It should be a simple and quick review.

@github-actions
Copy link

github-actions bot commented Dec 26, 2025

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

@github-actions github-actions bot added the stale label Dec 26, 2025
@crass
Copy link

crass commented Dec 31, 2025

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

Yes, it is still relevant. There's not much that can be done without an active maintainer to take a look at this.

@github-actions github-actions bot removed the stale label Dec 31, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@fabianbormann @subins2000 @crass @SilentBot1