Merge pull request #58 from advanced-security/copilot/fix-dependabot-alerts-again

Fix 12 dependabot alerts: update transitive deps, replace vulnerable `ip` package, bump fast-xml-parser override

Author: felickz

functions/authorizers/githubWebhookIPValidator/package-lock.json

@@ -11,7 +11,6 @@
   "devDependencies": {
     "@tsconfig/node18": "^1.0.1",
     "@types/aws-lambda": "^8.10.109",
-    "@types/ip": "^1.1.0",
     "@types/json-schema": "^7.0.11",
     "@types/node": "^18.11.17",
     "@typescript-eslint/eslint-plugin": "^5.47.0",
@@ -35,6 +34,6 @@
     "@aws-sdk/client-ssm": "^3.816.0",
     "@octokit/auth-app": "^8.0.1",
     "@octokit/graphql": "^9.0.1",
-    "ip": "^2.0.1"
+    "ipaddr.js": "^2.2.0"
   }
 }

functions/authorizers/githubWebhookIPValidator/package.json

@@ -1,7 +1,11 @@
-import { cidrSubnet } from "ip";
+import * as ipaddr from "ipaddr.js";
 
 const findIP = (keys: string[], ipToCheck: string) => {
-  return keys.some((cidr) => cidrSubnet(cidr).contains(ipToCheck));
+  const parsedIP = ipaddr.parse(ipToCheck);
+  return keys.some((cidr) => {
+    const [addr, prefixLength] = ipaddr.parseCIDR(cidr);
+    return parsedIP.match(addr, prefixLength);
+  });
 };
 
 export const checkIPs = async (