Closed Havunen closed 1 year ago
Same here, happily looking for this to be fixed.
Looks like it is resolved, as well as CVE-2022-36067
└─┬ proxy-agent@5.0.0
└─┬ pac-proxy-agent@5.0.0
└─┬ pac-resolver@5.0.1
└─┬ degenerator@3.0.2
└── vm2@3.9.11
@alasdairhurst Not sure how you are getting that vm2 version but it does not appear to be directly from proxy-agent@5.0.0 as it does not appear to have been updated in over a year and I am still getting this problem
EDIT: ah for some reason I had to delete my package-lock.json and now its picking up vm2@3.9.11
3.9.11 is also now a vulnerable version, should now be upgraded to 3.9.17
This code in this repository has been moved to the proxy-agents
monorepo, so I am closing this pull request. If you feel that this issue still exists as of the latest release, feel free to open a new issue over there.
Sandbox bypass in vm2 - https://github.com/advisories/GHSA-6pw2-5hjv-9pf7 fix available via
npm audit fix
node_modules/vm2
1 critical severity vulnerability
npm list vm2 shows this repository as part of the dependency chain
Connects to: https://github.com/TooTallNate/node-pac-proxy-agent/issues/46