Open AlabasterAxe opened 2 years ago
@srubin FYI
I ran into the same issue when trying to upgrade from 4.33.0 to 4.34.0. It appears this might be due to the superagent update that was listed in the PubNub JS SDK changelog for 4.34.0.
We're using webpack to package our Node.js lambda which uses PubNub JS SDK and this prevents us from upgrading to any version of the PubNub JS SDK beyond 4.33.0.
I face the same issue, for Serverless functions, for example, AWS Lambda my TypeScript compiles it in a single file, so it doesn't work, because of the following flow:
Pubnub
uses superagent-proxy
superagent-proxy
uses vm2
vm2
executes the following code inline during execution ${fs.readFileSync(`${__dirname}/bridge.js`, "utf8")}
, so it's not possible to predict file loadingIt has taken me a while to figure this out. This is very important. I can't use the latest version
I have found a work-around for this issue, but it's pretty ugly. What I do is copy node_modules/vm2/lib/bridge.js
and node_modules/vm2/lib/setup-sandbox.js
into my lambda zip file that I deploy. This makes those files available at run-time. With this workaround I can use PubNub v5.0.1 with rollup but it should also work with webpack.
I hope that this issue gets a real resolution soon.
Also seeing the same issues and we need to update the SDK because of some high severity security issues: https://www.cve.org/CVERecord?id=CVE-2021-23406
Similar to @patela, but i added the files to my webpack config, so at least the files are bundled. Ideally we wouldn't need to do this.
// these files are required by vm2 which is a dependency of the pubnub SDK
const bridgeConfig = {
entry: './node_modules/vm2/lib/bridge.js',
output: {
filename: 'bridge.js',
path: path.resolve(__dirname, '../build')
}
};
const sandboxConfig = {
entry: './node_modules/vm2/lib/setup-sandbox.js',
output: {
filename: 'setup-sandbox.js',
path: path.resolve(__dirname, '../build')
}
};
module.exports = [
...otherConfigs,
bridgeConfig,
sandboxConfig
]
I have a library that uses Pusher and I want to replace it with PubNub and I run into this issue when I use the library with PubNub. I want to supply the library without specific Webpack instructions. Any tips on how this could be done?
Is there any plan to fix this issue? This is a critical third-party component vulnerability. https://security.snyk.io/vuln/SNYK-JS-VM2-5537100
Hi! Yes the PR https://github.com/pubnub/javascript/pull/331 was merged successfully which addresses the severe vulnerability warnings for vm2 usage: https://security.snyk.io/vuln/SNYK-JS-VM2-5537100
We recently attempted to upgrade our version of pubnub but we're blocked by similar issues to the one highlighted by: https://github.com/pubnub/javascript/issues/239
In our case, vm2 makes a call to
require(coffee-script)
and attempts to callreadFileSync
on a file calledbridge.js
that it supplies both of which cause our build to fail.It looks like we should be able to work around it by patching out the dependency on pac-proxy-agent. Basically, I have two questions:
Edit: we're currently on 4.29.7, we've attempted to upgrade to a couple of different versions but any greater version than our current version caused these issues.