search

nest-modules / mailer

📨 A mailer module for Nest framework (node.js)
https://nest-modules.github.io/mailer/
MIT License
846 stars 177 forks source link

vm2 transitive dependency security vulnerability #1070

Closed lsacco-nutreense closed 10 months ago

lsacco-nutreense commented 1 year ago

Summary

A transitive dependency you have in the latest version seems to be impacted by this (issue)[https://github.com/https://github.com/patriksimek/vm2/issues/515].

Details

Here's what I see when I run npm audit.


# npm audit report

vm2  *
Severity: critical
vm2 Sandbox Escape vulnerability - https://github.com/advisories/GHSA-cchq-frgv-rjh5
vm2 Sandbox Escape vulnerability - https://github.com/advisories/GHSA-g644-9gfx-q4q4
fix available via `npm audit fix`
node_modules/vm2
  degenerator  3.0.0 - 4.0.4
  Depends on vulnerable versions of vm2
  node_modules/degenerator
    pac-resolver  5.0.0 - 6.0.2
    Depends on vulnerable versions of degenerator
    node_modules/pac-resolver
      pac-proxy-agent  5.0.0 - 6.0.4
      Depends on vulnerable versions of pac-resolver
      node_modules/pac-proxy-agent
        proxy-agent  5.0.0 - 6.2.2
        Depends on vulnerable versions of pac-proxy-agent
        node_modules/proxy-agent
          superagent-proxy  >=3.0.0
          Depends on vulnerable versions of proxy-agent
          node_modules/superagent-proxy
            remote-content  >=3.0.0
            Depends on vulnerable versions of superagent-proxy
            node_modules/remote-content
              href-content  >=2.0.1
              Depends on vulnerable versions of remote-content
              node_modules/href-content
                extract-css  >=2.0.1
                Depends on vulnerable versions of href-content
                node_modules/extract-css
                  inline-css  >=4.0.0
                  Depends on vulnerable versions of extract-css
                  node_modules/inline-css
                    @nestjs-modules/mailer  >=1.8.1
                    Depends on vulnerable versions of inline-css
                    node_modules/@nestjs-modules/mailer

11 critical severity vulnerabilities

└─┬ @nestjs-modules/mailer@1.9.1
  └─┬ inline-css@4.0.2
    └─┬ extract-css@3.0.1
      └─┬ href-content@2.0.2
        └─┬ remote-content@3.0.1
          └─┬ superagent-proxy@3.0.0
            └─┬ proxy-agent@5.0.0
              └─┬ pac-proxy-agent@5.0.0
                └─┬ pac-resolver@5.0.1
                  └─┬ degenerator@3.0.4
                    └── vm2@3.9.19```
sswayney commented 1 year ago

There is a finished PR but we need a release https://github.com/nest-modules/mailer/pull/1021

lsacco-nutreense commented 1 year ago

@sswayney what's the process to get it released? Can I help advocate for that?

lsacco-nutreense commented 12 months ago

Snyk super unhappy about this version. Any update?

gterras commented 12 months ago

Workaround before release https://github.com/nest-modules/mailer/pull/1021#issuecomment-1793572428