fix: remove high security vuln & replace with other ip checking pkg

BrandwatchLtd · Jul 26, 2024 · 24f3596 · 24f3596
1 parent 73c0523
commit 24f3596
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 8 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -20,6 +20,6 @@
     "registry": "https://artifactory.brandwatch.com/artifactory/api/npm/npm"
   },
   "dependencies": {
-    "ip": "^2.0.1"
+    "ipaddr.js": "^2.2.0"
   }
 }
diff --git a/src/index.js b/src/index.js
@@ -1,7 +1,7 @@
 /**
  * Configure a ExpressJS middleware to expose useful health/metrics/checks endpoints.
  */
-const ip = require('ip');
+const ipaddr = require('ipaddr.js');
 
 // Default empty configuration
 let metrics;
@@ -33,7 +33,8 @@ const addMetrics = (m) => { metrics = m; };
 const getMiddleware = () => (req, res, next) => {
   const requestingIP = req.ip || req.connection.remoteAddress
                        || req.socket.remoteAddress || req.connection.socket.remoteAddress;
-  if (!ip.isPrivate(requestingIP)) {
+
+  if (!['private', 'loopback'].includes(ipaddr.parse(requestingIP).range())) {
     return next();
   }