Closed brandonlenz closed 1 year ago
P0lip
commented
1 year ago We don't use vm2 directly. vm2 is one of the dependencies used indirectly by proxy-agent, seems like they already have an issue open https://github.com/TooTallNate/proxy-agents/issues/218. I'll keep an eye out for it and will update proxy-agent as soon as the fixed version is out.
silverwind
commented
1 year ago You could just replace proxy-agent with hpagent and possibly proxy-from-env (when needed), both are 0-dependency modules.
P0lip
commented
1 year ago I'd be happy to use hpagent, but the problem with that dependency is that its lowest supported Node.js version is 14, while Spectral still supports 12.
Given Node.js 14 is already EOL (and 16 is soon to reach EOL as well), we'll inevitably drop support for these versions, but as things stand we cannot just make a switch 😞
EDIT: ah, looks like proxy-agent dropped support for Node 12
hinnerk-optibus
commented
1 year ago Upstream dependency proxy-agents closed the vulnerability in version 6.3.0
https://github.com/TooTallNate/proxy-agents/pull/224
silverwind
commented
1 year ago Glad you found a way to use hpagent, that alone will reduce the module size by 5MB+ 👍
Edit: Packagephobia confirms.
stoplight-bot
commented
1 year ago :tada: This issue has been resolved in version 6.9.0 :tada:
The release is available on npm package (@latest dist-tag)
Your semantic-release bot :package::rocket:
Chore summary
CVE-2023-37466
Replace dependencies resulting in the use of vm2. Instead dependencies should consider isolated-vm, recommended by the maintainer who discontinued support of vm2
Tasks