ip SSRF improper categorization in isPublic - IP node package vulnerability

Question

I found ip SSRF improper categorization in isPublic vulnerability.
when i tried npm audit to get vulnerability report, I found the below vulnerability related to  ip package

`ip  *
Severity: high
ip SSRF improper categorization in isPublic - https://github.com/advisories/GHSA-2p57-rm9w-gvfp
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@18.0.4, which is a breaking change
node_modules/ip
dns-packet  <=5.2.4
Depends on vulnerable versions of ip
node_modules/dns-packet
multicast-dns  6.0.0 - 7.2.2
Depends on vulnerable versions of dns-packet
node_modules/multicast-dns
  bonjour  >=3.3.1
  Depends on vulnerable versions of multicast-dns
  node_modules/bonjour
socks  1.0.0 - 2.7.1
Depends on vulnerable versions of ip
node_modules/socks
socks-proxy-agent  1.0.1 - 4.0.2
Depends on vulnerable versions of socks
node_modules/socks-proxy-agent`

At my project i am using below versions
Angular CLI: 9.1.13
 Node: 22.2.0
 OS: win32 x64 

As I am using angular 9.1.13 version, moving to angular 18 will cause breaking changes so I have tried overriding IP package to 2.0.1 at package.json file.

"overrides": { "webpack-dev-server":{ "ip": "^2.0.1", }, "dns-packet": { "ip": "^2.0.1" }, "socks": { "ip": "^2.0.1" } }

This will update the ip package but still vulnerability not resolved. Updating Angular version will not help for me, please help me if you found such vulnerability and able to resolve.

Answer 1

I have just solved this in my project. As of now in npm there is not patched version of ip for this issue.

You can try this instead - Replace “ip” with “ip-address” 9.0.5 version and also add “sprintf-js” 1.1.3 version package for dependency