From bc6e7644ba075bf2054896544686c9cac0a26710 Mon Sep 17 00:00:00 2001
From: David McCoy <david.mccoy@gmail.com>
Date: Mon, 2 Feb 2026 20:27:31 -0800
Subject: [PATCH] Replace ip package with native broadcast calculation

Removes vulnerable ip dependency (CVE-2023-42282, CVE-2024-29415).
---
 package.json | 1 -
 sood.js      | 9 +++++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/package.json b/package.json
index b77d252..02c6ed0 100644
--- a/package.json
+++ b/package.json
@@ -6,7 +6,6 @@
   "author": "Roon Labs, LLC",
   "license": "Apache-2.0",
   "dependencies": {
-    "ip": "^2.0.1",
     "node-uuid": "^1.4.7",
     "ws": ">=3.3.1"
   }
diff --git a/sood.js b/sood.js
index 4a1a867..29bdfec 100644
--- a/sood.js
+++ b/sood.js
@@ -7,10 +7,15 @@ SOOD implements Roon Core discovery using UDP protocol
 var util    = require("util"),
     events  = require('events'),
     dgram   = require('dgram'),
-    IP      = require('ip'),
     uuid    = require('node-uuid'),
     os      = require('os');
 
+function getBroadcastAddress(ip, netmask) {
+    const ipParts = ip.split('.').map(Number);
+    const maskParts = netmask.split('.').map(Number);
+    return ipParts.map((octet, i) => octet | (~maskParts[i] & 255)).join('.');
+}
+
 var SOOD_PORT         = 9003;
 var SOOD_MULTICAST_IP = "239.255.90.90";
 
@@ -203,7 +208,7 @@ Sood.prototype._listen_iface = function(ip, netmask, ifacename) {
 //        this.logger.log(`SOOD: new sock: send ${ip}/${ifacename}`);
         new_iface = true;
 	iface.send_sock = dgram.createSocket({ type: 'udp4' });
-        iface.broadcast = IP.subnet(ip, netmask).broadcastAddress;
+        iface.broadcast = getBroadcastAddress(ip, netmask);
 	iface.send_sock.on('error', (err) => {
 //	    this.logger.log(`server error ${ip}`, err);
 	    iface.send_sock.close();