Closed harryaswan closed 11 months ago
The suggested alternative isolated-vm
is probably a non-starter for this project, since it requires a C++ module, which I would like to avoid. I'm considering using QuickJS compiled to WASM instead.
Would be nice if pac-proxy support could be an optional dependency, it's frustrating to have security alerts go off for code that we are not using.
Critical severity CVE-2023-37466 vm2 Sandbox Escape vulnerability advisory for vm2
βIs my understanding of the exposure to the vm2 vulnerability to users of proxy-agent as of v6.2.2 correct? β
HTTP_PROXY
/HTTPS_PROXY
are not set: β
HTTP_PROXY
/HTTPS_PROXY
are set, but values do not start with pac*
: β
HTTP_PROXY
/HTTPS_PROXY
are set to a URL starting with pac*
pointing to a proxy auto-config file: π€
@robbkidd Correct
Do we have an ETA for this?
Just giving an update, PR https://github.com/TooTallNate/proxy-agents/pull/224 seems promising so far. Tests are passing and I'm playing around with a fork of quickjs-emscripten
that is stripped down of unnecessary features so that the install size of these packages doesn't bloat unnecessarily.
The author's message on NPM:
There is a full explanation in the readme of the project.
This is throwing a warning on every install of downstream packages link Puppeteer.