lazywithclass / winston-cloudwatch

Send logs to Amazon Cloudwatch using Winston.
MIT License
258 stars 105 forks source link

vm2 Sandbox Escape vulnerability #218

Closed micchickenburger closed 1 year ago

micchickenburger commented 1 year ago

Dependabot created a PR for this: https://github.com/lazywithclass/winston-cloudwatch/pull/216

# npm audit report

vm2  *
Severity: critical
vm2 Sandbox Escape vulnerability - https://github.com/advisories/GHSA-cchq-frgv-rjh5
vm2 Sandbox Escape vulnerability - https://github.com/advisories/GHSA-g644-9gfx-q4q4
fix available via `npm audit fix --force`
Will install winston-cloudwatch@3.0.2, which is a breaking change
node_modules/vm2
  degenerator  >=3.0.0
  Depends on vulnerable versions of vm2
  node_modules/degenerator
    pac-resolver  >=5.0.0
    Depends on vulnerable versions of degenerator
    node_modules/pac-resolver
      pac-proxy-agent  >=5.0.0
      Depends on vulnerable versions of pac-resolver
      node_modules/pac-proxy-agent
        proxy-agent  >=5.0.0
        Depends on vulnerable versions of pac-proxy-agent
        node_modules/proxy-agent
          winston-cloudwatch  >=3.1.0
          Depends on vulnerable versions of proxy-agent
          node_modules/winston-cloudwatch
JackieBinya commented 1 year ago

When will this be merged we are anxiously waiting for this fix...