mirror of
https://github.com/MichMich/MagicMirror.git
synced 2025-12-12 01:42:19 +00:00
refactor: replace express-ipfilter with lightweight custom middleware (#3917)
This fixes security issue [CVE-2023-42282](https://github.com/advisories/GHSA-78xj-cgh5-2h22), which is not very likely to be exploitable in MagicMirror² setups, but still should be fixed. The [express-ipfilter](https://www.npmjs.com/package/express-ipfilter) package depends on the obviously unmaintained [ip](https://github.com/indutny/node-ip) package, which has known security vulnerabilities. Since no fix is available, this commit replaces both dependencies with a custom middleware using the better maintained [ipaddr.js](https://www.npmjs.com/package/ipaddr.js) library. Changes: - Add new `js/ip_access_control.js` with lightweight middleware - Remove `express-ipfilter` dependency, add `ipaddr.js` - Update `js/server.js` to use new middleware - In addition, I have formulated the descriptions of the corresponding tests a little more clearly.
This commit is contained in:
Kristjan ESPERANTO
committed by
GitHub
GitHub
parent
9ff716f4ab
commit
37d1a3ae8f
@@ -21,6 +21,7 @@ planned for 2026-01-01
|
||||
|
||||
- feat: add ESlint rule `no-sparse-arrays` for config check to fix #3910 (#3911)
|
||||
- fixed eslint warnings shown in #3911 and updated npm publish docs (#3913)
|
||||
- [core] refactor: replace `express-ipfilter` with lightweight custom middleware (#3917) - This fixes security issue [CVE-2023-42282](https://github.com/advisories/GHSA-78xj-cgh5-2h22), which is not very likely to be exploitable in MagicMirror² setups, but still should be fixed.
|
||||
|
||||
### Updated
|
||||
|
||||
|
||||
Reference in New Issue
Block a user