Closed punithvenkataswamy closed 1 year ago
You can run npm update vm2
in your project and it will update package-lock.json
with vm2 3.9.11
.
but @mskec, would it not be a good practice to drop the compatibility with vulnerable versions in the place where this is a direct dependency?
Just to know if the maintainers are willing to receive a PR on this
@mNalon the last published package of degenerator has vm2 dependency ^3.9.8
which means any greater minor and patch versions are valid (3.x.y).
If you run npm install degenerator
today, it installs vm2 with version 3.9.11.
Or you can run npm audit fix
in your project to update the vm2
version.
Hi, I think you should re-consider releasing a version update that addresses this.
Although the vulnerability may be patched by users using npm update
or npm audit fix
, the fact that the vulnerable version is listed in your package.json
means some security scanners will flag your package as vulnerable.
The dependency issue looks like it is resolved in the main branch. But a maintainer needs to cut a release and push it to npm to fix everyone else's dependency issue.
v3.0.3 has been published with this change.
Hi Team,
I see the vm2 package version has been upgraded to 3.9.11. Is there a plan/date to release a new version(patch) of degenerator which would help remediate the dependency vulnerability being reported.