Closed ckotyan closed 1 year ago
zymotik
commented
1 year ago The issue lies in proxy-agent as you mention. Therefore, PubNub would need to wait for their issue to be resolved and released before they can update the pubnub package dependencies.
From my understanding, and correct me if I am wrong, this is a problem if you are using pubnub server side. If you are using the pubnub client in a browser, then proxy agents cannot be used anyway.
zymotik
commented
1 year ago I've found the reference to setting the proxy in the documentation, notice it says "This method is only available for NodeJS". Hence my belief that this is safe to ignore if using the SDK as part of your web application on the client side.
See: https://www.pubnub.com/docs/sdks/javascript/api-reference/misc#setproxy
zymotik
commented
1 year ago To fix this issue, I forked the dependency "superagent-proxy" and changed the code to bypass the undesired functionality. I then used the npm overrides feature to use our code instead of the vulnerable code.
See instructions in the readme: https://github.com/ezra-virtualvenue-next/superagent-proxy
NoriSte
commented
1 year ago They fixed the issue https://github.com/TooTallNate/proxy-agents/issues/218
and released an updated version 😊 https://github.com/TooTallNate/proxy-agents/releases/tag/proxy-agent%406.3.0
parfeon
commented
1 year ago Issue has been addressed, merged and released with #331
NoriSte
commented
1 year ago Issue has been addressed, merged and released with #331
Thank you SO MUCH 🤗
Our npm audit started failing with critical vulnerability on Vm2 dependency included by (indirectly via proxy-agent) PubNub Javascript SDK (latest 7.x). Not sure if PubNub is aware of it and has a plan to address this.
https://github.com/advisories/GHSA-g644-9gfx-q4q4
Could you provide ways to fix it? Thanks Chandra