Added ip-address override

[9larsons]

Why

A newly-published moderate XSS advisory landed against ip-address's Address6 HTML-emitting methods (the helpers that produce HTML representations of IPv6 addresses). Affected versions are <=10.1.0; fixed upstream in 10.2.0.

In our tree it reaches as sqlite3 > node-gyp > make-fetch-happen > socks-proxy-agent > socks > ip-address, so it's a build-time chain (sqlite3 native compilation) rather than runtime — the practical risk surface is limited. The override is still worth taking because the fix is a same-major patch and the override is mechanical.

Test plan

• pnpm install — single ip-address@10.2.0 resolution; no change to consumer call sites
• pnpm audit — closes the moderate ip-address advisory; no new advisories introduced
• pnpm test — 6283/6283 ghost/core unit tests pass (the pre-existing comments-ui editor markdown flake reproduces on clean main and is unrelated)
• CI confirms the same delta against the canonical environment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: bb1f0856-3efd-4f0d-872e-f6685d8d056a

📥 Commits

Reviewing files that changed from the base of the PR and between 0dd90fd and e1fe285.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json

---

Walkthrough

A PNPM override was added to package.json in the pnpm overrides section. This override forces the ip-address package to version ^10.2.0 when a version of 10.1.0 or lower is encountered. This is a single-line addition with no modifications to other dependencies or configuration settings.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Added ip-address override' directly and concisely describes the main change in the pull request—adding a PNPM override for the ip-address package.
Description check	✅ Passed	The description clearly relates to the changeset by explaining the security motivation (XSS advisory in ip-address <=10.1.0), the dependency chain context, and the testing performed to validate the override.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch security/ip-address-override

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.18%. Comparing base (e35122a) to head (e1fe285).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #27688      +/-   ##
==========================================
- Coverage   73.19%   73.18%   -0.01%     
==========================================
  Files        1561     1561              
  Lines      127073   127073              
  Branches    15395    15394       -1     
==========================================
- Hits        93006    93004       -2     
- Misses      33110    33111       +1     
- Partials      957      958       +1     

Flag	Coverage Δ
admin-tests	49.86% <ø> (-0.02%)	⬇️
e2e-tests	73.18% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.