[security] CVE-2021-23449 - Bumped vm2 to 3.9.5

TooTallNate / node-degenerator

Turns sync functions into async functions

20 stars 17 forks source link

[security] CVE-2021-23449 - Bumped vm2 to 3.9.5 #14

Closed crudo closed 2 years ago

crudo commented 2 years ago

https://security.snyk.io/vuln/SNYK-JS-VM2-1585918

IndraPachipala commented 2 years ago

Thanks @crudo for launching this PR. Snyk has identified a vulnerability with VM 3.9.3 package version. So hoping for you to merge this PR soon ?

derekblank commented 2 years ago

@TooTallNate This is also being reported as a critical vulnerability in our dependency chain, affecting the following packages:

 superagent-proxy@3.0.0 
  › proxy-agent@5.0.0
    › pac-proxy-agent@5.0.0
      › pac-resolver@5.0.0
        › degenerator@3.0.1
          › vm2@3.9.4

vm2@3.9.5 (and, more recently, vm2@3.9.6) contain security fixes. Any chance we could bump the vm2 dependency here?