Update IP package in Node to 2.0.1 (CVE-2023-42282)

[hiwit]

The provided Node package (externals/nodeXX) contains the node-ip version <2.0.1 which might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic. (https://nvd.nist.gov/vuln/detail/CVE-2023-42282)

When action-runner is deployed as ECS task this is reported as a finding/vulnerability

Runner Version and Platform

3.15.0 Linux (probably all other platforms as well)

[SajeedAnsari]

It seems that both the action-runner images (v2.314.1 and possibly v2.315.0, if details haven't changed) are still facing the CVE-2023-42282 vulnerability associated with the 'ip' package. The 'ip' package version remains below 2.0.1, making it vulnerable. Could you help us address this issue?

[Mano-3]

Yes, I too found this issue. Waiting for response

[philthethrill99]

The latest release 2.319.0 still has the issue on node16 has the ip 2.0.0 with the cve

[github-actions]

This issue is stale because it has been open 365 days with no activity. Remove stale label or comment or this will be closed in 15 days.

[github-actions]

This issue was closed because it has been stalled for 15 days with no activity.