Closed evansrobert closed 1 year ago
This code in this repository has been moved to the proxy-agents
monorepo, so I am closing this pull request. If you feel that this issue still exists as of the latest release, feel free to open a new issue over there.
Hi, @TooTallNate, there a vulnerability introduced by netmask@1.0.6:
Issue Description
I noticed that pac-proxy-agent@3.0.1 transitively depends on netmask@1.0.6. However, the vulnerability(high severity) CVE-2021-28918 is detected in package netmask<2.0.1.
As far as I aware, pac-proxy-agent@3.0.1 is so popular that a large number of latest versions of downstream projects depend on it (699,801 downloads per week and about 634 downstream projects, e.g., parse-server 4.5.0, gatsby-plugin-s3 0.3.8, pm2-metrics 1.0.43, ghost 4.10.2, @testim/testim-cli 3.173.0, etc.). In this case, the vulnerability CVE-2021-28918 can be propagated into these downstream projects and expose security threats to them. As you can see, pac-proxy-agent@3.0.1 is introduced into the above projects via the following package dependency paths: (1)
@bb-cli/bb-test@2.11.0 ➔ karma@2.0.5 ➔ log4js@2.11.0 ➔ mailgun-js@0.18.1 ➔ proxy-agent@3.0.3 ➔ pac-proxy-agent@3.0.1 ➔ pac-resolver@3.0.0 ➔ netmask@1.0.6
(2)@narando/authorization@0.36.0 ➔ @narando/log@0.36.0 ➔ log4js@2.11.0 ➔ mailgun-js@0.18.1 ➔ proxy-agent@3.0.3 ➔ pac-proxy-agent@3.0.1 ➔ pac-resolver@3.0.0 ➔ netmask@1.0.6
......I know that it's kind of you to have removed the vulnerability since pac-proxy-agent@4.0.0. But, in fact, the above large amount of downstream projects cannot easily upgrade pac-proxy-agent from version *_3.0.** to (>=4.0.0)_: The projects such as mailgun-js, which introduced pac-proxy-agent@3.0.1, are not maintained anymore. These unmaintained packages can neither upgrade pac-proxy-agent nor be easily migrated by the large amount of affected downstream projects.
Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package pac-proxy-agent@3.0.1?
Suggested Solution
Since these inactive projects set a version constaint 3.0.* for pac-proxy-agent on the above vulnerable dependency paths, if pac-proxy-agent removes the vulnerability from 3.0.1 and releases a new patched version pac-proxy-agent@3.0.2, such a vulnerability patch can be automatically propagated into the downstream projects.
In pac-proxy-agent@3.0.2, you can kindly is to perform the following upgrade :
pac-resolver ^3.0.0 ➔ ^4.1.1
;Note: pac-resolver@4.1.1(>=4.1.1) directly depends on netmask@2.0.2 which has fixed the vulnerability (CVE-2021-28918)
Thank you for your attention to this issue and welcome to share other ways to resolve the issue.