Update proxy-agent to remove vulnerable vm2 dependency

stoplightio / spectral

A flexible JSON/YAML linter for creating automated style guides, with baked in support for OpenAPI v3.1, v3.0, and v2.0 as well as AsyncAPI v2.x.

https://stoplight.io/spectral

Apache License 2.0

2.43k stars 235 forks source link

Update proxy-agent to remove vulnerable vm2 dependency #2519

Closed matthewsac closed 1 year ago

matthewsac commented 1 year ago

Dependabot issued a critical alert on the vm2 library which is used by proxy-agent. A new version of proxy-agent removes this vulnerability by replacing vm2. Spectral needs to be updated to use this new version.

Links to the two Dependabot alerts that relate to this issue:

265 266

Link to the new proxy-agent version to be used: proxy-agent 406.3.0

NOTE: This update must also be done for prism and platform-internal. See the links to the other issues in the comments.

matthewsac commented 1 year ago

Prism: https://github.com/stoplightio/prism/issues/2342 Platform-internal: https://github.com/stoplightio/platform-internal/issues/17519

P0lip commented 1 year ago

@matthewsac Spectral has been already addressed in #2513