Binding to an Unrestricted IP Address

Summary

dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Binding to `INADDR_ANY (0.0.0.0)` or `IN6ADDR_ANY (::)` exposes an application on all network interfaces, increasing the risk of unauthorized access. As stated in the Python docs, a special form for address is accepted instead of a host address: `''` represents `INADDR_ANY`, equivalent to `"0.0.0.0"`. On systems with IPv6, '' represents `IN6ADDR_ANY`, which is equivalent to `"::"`. A user who serves docs on an unsecured public network may unknowingly be hosting an unsecured (http) website for any remote user/system to access on the same network. The issue has been mitigated by binding to localhost explicitly by default in `dbt docs serve`. This issue affects dbt-core versions 1.5.0b1 through 1.6.14, 1.7.0b1 through 1.7.14, and 1.8.0b1 through 1.8.0.