TooTallNate
commented
1 year ago The vm2 dependency uses an ^ caret in the semver version, so you can fix this in your project already by updating your lockfile.
Closed santoshyadavdev closed 1 year ago
TooTallNate
commented
1 year ago The vm2 dependency uses an ^ caret in the semver version, so you can fix this in your project already by updating your lockfile.
JasonKleban
commented
1 year ago I think this should be reconsidered. I'm only able to get this to work for build and runtime by yarn-resolution-ing ALL the proxy-agent packages and superagent package - this should be a mechanism of second-to-last-resort (where yarn-patching being the last resort). If there's a vulnerability, no harm in catching up all of these related packages to each other because of the breaking changes that were introduced between some of the v5/v6 updates.
TooTallNate
commented
1 year ago @JasonKleban You definitely do not need to rely on yarn resolutions. Just update your lockfile by running yarn upgrade.
We received a mail from GitHub with CVE-2023-32314 which is reported in vm2 version < 3.9.18 the Severity is critical.
Here is this public link https://github.com/advisories/GHSA-whpj-8f3w-67p5