microsoft / react-native-code-push

React Native module for CodePush
http://appcenter.ms
Other
8.99k stars 1.48k forks source link

Critical vm2 vulnerable to sandbox escape #2489

Closed ramonjaspers closed 1 year ago

ramonjaspers commented 1 year ago

Code-push uses the superagent-proxy dependency which has not been updated in two years and has peers which are even older resulting in outdated dependencies. When running an audit with code-push installed the following critical is returned. critical │ vm2 vulnerable to sandbox escape
Package │ vm2
Patched in │ >=3.9.15
Dependency of │ react-native-code-push
Path react-native-code-push > code-push > superagent-proxy > │ proxy-agent > pac-proxy-agent > pac-resolver > degenerator > │ vm2More info │ https://www.npmjs.com/advisories/1091646

I see there already is a possible fix https://github.com/microsoft/react-native-code-push/pull/2482, what is the possible time of release?

ramonjaspers commented 1 year ago

for others, i currently fixed this in my repo by using https://www.npmjs.com/package/yarn-audit-fix

Grohden commented 1 year ago

@ramonjaspers but this is still an issue that codepush should solve updating their deps right? can't we reopen this one?