search

IBM / openapi-validator

Configurable and extensible validator/linter for OpenAPI documents
Apache License 2.0
498 stars 88 forks source link

A dependency of this repository contains a critical VM escape vulnerability #607

Closed Southclaws closed 1 year ago

Southclaws commented 1 year ago

Details here:

Dependency tree:

Vulnerable code does not seem to be used at any point in the dependency stack, for reference this is where it's called: https://github.com/TooTallNate/proxy-agents/blob/95729e1563fb4d6edcb7287bdd7e1a8126016da4/packages/pac-resolver/src/index.ts#L48-L53

Related issues:

padamstx commented 1 year ago

@Southclaws Thanks for opening the issue. We are waiting a bit in hopes that the @stoplight/spectral-cli package will have a new release soon which addresses this vulnerability. Alternatively, if one of its transitive dependencies (proxy-agent, pac-proxy-agent, etc.) publishes a new version that no longer uses vm2, we could potentially use "overrides" in package.json to force the use of a new transitive dependency by spectral-cli. Rest assured, we're keeping an eye on this situation.

padamstx commented 1 year ago

It turns out that a new version of proxy-agent (direct dependency of spectral-cli) is available today that removes the "vm2" dependency altogether.

ibm-devx-sdk commented 1 year ago

:tada: This issue has been resolved in version 1.2.0 :tada:

The release is available on npm package (@latest dist-tag)

Your semantic-release bot :package::rocket:

ibm-devx-sdk commented 1 year ago

:tada: This issue has been resolved in version 1.2.0 :tada:

The release is available on npm package (@latest dist-tag)

Your semantic-release bot :package::rocket:

ibm-devx-sdk commented 1 year ago

:tada: This issue has been resolved in version 1.2.0 :tada:

The release is available on npm package (@latest dist-tag)

Your semantic-release bot :package::rocket: