Open bourpie opened 11 months ago
vm2
has been deprecated for a while now, and we already planned to update to a different library here #263.
The vulnerabilities in vm2
allow for malicious code to escape the sandbox. I think if you only run trusted request scripts it should be fine for now, but we will definitely address this in the future.
I would say that this should be fairly high priority if you're looking to drive adoption. I'm evaluating Bruno to use at my workplace and things like that will definitely raise eyebrows. I wanted to test the cli but immediately uninstalled it when confronted by those security warnings.
Is there any progress on this? I love Bruno, but unfortunately cannot use the CLI until this is addressed and thus cannot use it to automate API testing
Is there any progress on this? I love Bruno, but unfortunately cannot use the CLI until this is addressed and thus cannot use it to automate API testing
Not really, I opened a second PR that replaced vm2 with the native vm module. But this did not get any attention yet.
Are there any plans from the main contributors to fix any of the critical bugs?
As of today this is what i get from npm audit:
44 vulnerabilities (31 moderate, 9 high, 4 critical)
Critical packages being:
vm2
underscore
minimist
I know that there has been some discussion of getting this fixed but I would love to start using the cli in my environment but can't until this is fixed.
I agree with the above comments about this getting fixed so we can use it in our CI/CD pipelines.
it's very critical that we can get command line for bruno working for CI/CD as CI/CI is very critical components in software development and will definitely drive adoption for bruno. It would be greatly appreciated, it we could get this fix soon, it stops me from using it in my workplace
Is it possible to share timelines when this issue will be resolved ?
This is critical security vulnerability which needs to resolved before we can use bru cli in cd/ci pipelines.
When installing CLI on Node V. 18.14.1, I get this message