vm2 is now deprecated

[harryaswan]

The author's message on NPM:

The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider migrating your code to isolated-vm.

There is a full explanation in the readme of the project.

This is throwing a warning on every install of downstream packages link Puppeteer.

[TooTallNate]

The suggested alternative isolated-vm is probably a non-starter for this project, since it requires a C++ module, which I would like to avoid. I'm considering using QuickJS compiled to WASM instead.

[wcbastian]

Would be nice if pac-proxy support could be an optional dependency, it's frustrating to have security alerts go off for code that we are not using.

[sfc-gh-dszmolka]

Critical severity CVE-2023-37466 vm2 Sandbox Escape vulnerability advisory for vm2

[robbkidd]

❓Is my understanding of the exposure to the vm2 vulnerability to users of proxy-agent as of v6.2.2 correct? ❓

• JS runtime with proxy-agent loaded will have pac-proxy-agent loaded and therefore vm2.
• HTTP_PROXY/HTTPS_PROXY are not set: ✅
  • the pac-proxy-agent codepaths are not exercised and therefore vm2 is never used.
• HTTP_PROXY/HTTPS_PROXY are set, but values do not start with pac*: ✅
  • the pac-proxy-agent codepaths are not exercised and therefore vm2 is never used.
• HTTP_PROXY/HTTPS_PROXY are set to a URL starting with pac* pointing to a proxy auto-config file: 🤔
  • pac-proxy-agent is exercised, vm2 is used, and the code injection would have to be in the contents of the PAC file retrieved?

[TooTallNate]

@robbkidd Correct

[naveinaustin]

Do we have an ETA for this?

[TooTallNate]

Just giving an update, PR https://github.com/TooTallNate/proxy-agents/pull/224 seems promising so far. Tests are passing and I'm playing around with a fork of quickjs-emscripten that is stripped down of unnecessary features so that the install size of these packages doesn't bloat unnecessarily.