search

nuxt-modules / og-image

Generate OG Images with Vue templates in Nuxt.
https://nuxtseo.com/og-image
400 stars 25 forks source link

vm2@3.9.19: The library contains critical security issues and should not be used for production! #69

Closed 9mm closed 1 year ago

9mm commented 1 year ago

Describe the bug

When installing nuxt-og-image I get this error because of some insane chain of dependencies. I don't know where in the chain the issue should be added, but considering nuxt-og-image is the actual library I care about I'm putting here.

 WARN  deprecated vm2@3.9.19: The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider migrating your code to isolated-vm.

Reproduction

No response

System / Nuxt Info

I'm using pnpm to install
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ critical            │ vm2 Sandbox Escape vulnerability                       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ vm2                                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=3.9.19                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ <0.0.0                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > nuxt-og-image@2.0.13 > inline-css@4.0.2 >          │
│                     │ extract-css@3.0.1 > href-content@2.0.2 >               │
│                     │ remote-content@3.0.1 > superagent-proxy@3.0.0 >        │
│                     │ proxy-agent@5.0.0 > pac-proxy-agent@5.0.0 >            │
│                     │ pac-resolver@5.0.1 > degenerator@3.0.4 > vm2@3.9.19    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-cchq-frgv-rjh5      │
└─────────────────────┴────────────────────────────────────────────────────────┘
6ixfalls commented 1 year ago

You can use overrides in package.json for npm or resolutions for yarn - here's a reference:

Concept https://github.com/TooTallNate/superagent-proxy/issues/48#issuecomment-1654802068 - This doesn't seem to affect functionality for my use-case.

harlan-zw commented 1 year ago

To give some context on this error, this is from inline-css dependency which is used to inline styles.

The inline-css implementation won't process fetch's so the vm2 code should never run.

I'd like to replace this dependency with something else but I don't have the capacity at the moment.

aoor9 commented 1 year ago

I took care of it once, and I can contribute by doing the same to this package.

harlan-zw commented 1 year ago

I took care of it once, and I can contribute by doing the same to this package.

That would be amazing!

harlan-zw commented 1 year ago

Fixed in 2.0.27 thanks to the great work of @aoor9 :raised_hands: