mskec
commented
2 years ago You can run npm update vm2 in your project and it will update package-lock.json with vm2 3.9.11.
Closed punithvenkataswamy closed 1 year ago
mskec
commented
2 years ago You can run npm update vm2 in your project and it will update package-lock.json with vm2 3.9.11.
mNalon
commented
2 years ago but @mskec, would it not be a good practice to drop the compatibility with vulnerable versions in the place where this is a direct dependency?
Just to know if the maintainers are willing to receive a PR on this
mskec
commented
2 years ago @mNalon the last published package of degenerator has vm2 dependency ^3.9.8 which means any greater minor and patch versions are valid (3.x.y).
If you run npm install degenerator today, it installs vm2 with version 3.9.11.
Or you can run npm audit fix in your project to update the vm2 version.
jordan-day
commented
2 years ago Hi, I think you should re-consider releasing a version update that addresses this.
Although the vulnerability may be patched by users using npm update or npm audit fix, the fact that the vulnerable version is listed in your package.json means some security scanners will flag your package as vulnerable.
ianmcodes
commented
1 year ago The dependency issue looks like it is resolved in the main branch. But a maintainer needs to cut a release and push it to npm to fix everyone else's dependency issue.
TooTallNate
commented
1 year ago v3.0.3 has been published with this change.
Hi Team,
I see the vm2 package version has been upgraded to 3.9.11. Is there a plan/date to release a new version(patch) of degenerator which would help remediate the dependency vulnerability being reported.