DrewImm
commented
3 years ago These are known audit flags, however, the ts-mailgun package does not accept IP addresses as input and therefore is not vulnerable to these.
The change would require breaking changes to ts-mailgun, although PRs are encouraged
Hi, several high vulnerabilities CVE-2021-28918,CVE-2021-29418 are introduced in ts-mailgun via: ● ts-mailgun@0.5.1 ➔ mailgun-js@0.22.0 ➔ proxy-agent@3.1.1 ➔ pac-proxy-agent@3.0.1 ➔ pac-resolver@3.0.0 ➔ netmask@1.0.6
mailgun-js is a legacy package. It has not been maintained for about 2 years, and is not likely to be updated. Is it possible to migrate mailgun-js to other package to remediate this vulnerability?
I noticed several migration records for mailgun-js in other js repos, such as
in boba-watch, version 2.0.0, migrate from mailgun-js to mailgun.js via commit
Are there any efforts planned that would remediate this vulnerability or migrate mailgun-js?
Thanks ; )