search

box / box-node-sdk

A Javascript interface for interacting with the Box API. You can find the node package at
https://www.npmjs.com/package/box-node-sdk
Apache License 2.0
187 stars 121 forks source link

Requesting new version with proxy-agent@6.3.0 upgrade to address vm2 critical vulnerability #843

Closed jhoward-ts closed 1 year ago

jhoward-ts commented 1 year ago

Is your feature request related to a problem? Please describe.

box-node-sdk depends on proxy-agent@5.0.0, which ultimately depends on a version of vm2 with critical vulnerabilities. Until now we have beem able to use a resolutions directive to force newer patched versions of vm2 - but vm2 will no longer be patched.

Describe the solution you'd like

proxy-agent@6.3.0 removes the vm2 dependency - will box-node-sdk be updated to depend on this version of proxy-agent instead?

Describe alternatives you've considered

We've considered a resolution directive to force using proxy-agent@6.3.0 instead, but this seems very risky since it's a major version change and may break box-node-sdk internally.

Additional context

proxy-agent changelog. From this, it may be a fairly easy update to go from 5.0.0 to 6.3.0.

congminh1254 commented 1 year ago

Hi @jhoward-ts We have just bumped proxy-agent to the latest version, and release a fix with version 3.1.1. Please update the version and let us know if anything else we can help you with? Best, Minh