• The developer of the ‘node-ip’ project made the GitHub repository read-only after disputing the severity of a reported vulnerability (CVE-2023-42282).
  • The vulnerability involved incorrect identification of private IP addresses in non-standard formats, but the developer argued it had a dubious security impact.
  • The situation highlights ongoing issues with unverified CVE reports causing unnecessary panic and frustration for open-source project maintainers.
  • FlumPHP@programming.dev
    link
    fedilink
    arrow-up
    74
    ·
    5 months ago

    The library hadn’t had any updates in 2 years before this. Clearly it wasn’t maintained. If you’re a user and bothered by this super edge case “vulnerability”, fork it and take on the responsibility yourself.

    • lemmyvore@feddit.nl
      link
      fedilink
      English
      arrow-up
      23
      ·
      5 months ago

      Clearly it wasn’t maintained.

      Lol. It’s an IP library. IP classifications haven’t changed. What could he possibly update?

      • spartanatreyu@programming.dev
        link
        fedilink
        arrow-up
        7
        ·
        5 months ago

        There’s a whole bunch of pull requests and issues sitting there for a start.

        Personally I’d also update the example in the readme and set an engine value in the package.json file.

        • lemmyvore@feddit.nl
          link
          fedilink
          English
          arrow-up
          11
          ·
          5 months ago

          Then fork it and do that.

          These projects are structured as hobbyist projects and get whatever time the maintainer can spare. I have projects like that, they’re useful, but I’m not gonna prioritize them over… anything else, come to think of it.

          The fact so many people treat a hobbyist project with one maintainer as critical infrastructure is insane, but that’s on them. Everybody likes free software, nobody likes to help or pay the maintainer.