Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

vm2 transitive dependency security vulnerability #1070

Closed
lsacco-nutreense opened this issue Oct 20, 2023 · 4 comments
Closed

vm2 transitive dependency security vulnerability #1070

lsacco-nutreense opened this issue Oct 20, 2023 · 4 comments

Comments

@lsacco-nutreense
Copy link

Summary

A transitive dependency you have in the latest version seems to be impacted by this (issue)[https://github.com/https://github.com/patriksimek/vm2/issues/515].

Details

Here's what I see when I run npm audit.

# npm audit report

vm2  *
Severity: critical
vm2 Sandbox Escape vulnerability - https://github.com/advisories/GHSA-cchq-frgv-rjh5
vm2 Sandbox Escape vulnerability - https://github.com/advisories/GHSA-g644-9gfx-q4q4
fix available via `npm audit fix`
node_modules/vm2
  degenerator  3.0.0 - 4.0.4
  Depends on vulnerable versions of vm2
  node_modules/degenerator
    pac-resolver  5.0.0 - 6.0.2
    Depends on vulnerable versions of degenerator
    node_modules/pac-resolver
      pac-proxy-agent  5.0.0 - 6.0.4
      Depends on vulnerable versions of pac-resolver
      node_modules/pac-proxy-agent
        proxy-agent  5.0.0 - 6.2.2
        Depends on vulnerable versions of pac-proxy-agent
        node_modules/proxy-agent
          superagent-proxy  >=3.0.0
          Depends on vulnerable versions of proxy-agent
          node_modules/superagent-proxy
            remote-content  >=3.0.0
            Depends on vulnerable versions of superagent-proxy
            node_modules/remote-content
              href-content  >=2.0.1
              Depends on vulnerable versions of remote-content
              node_modules/href-content
                extract-css  >=2.0.1
                Depends on vulnerable versions of href-content
                node_modules/extract-css
                  inline-css  >=4.0.0
                  Depends on vulnerable versions of extract-css
                  node_modules/inline-css
                    @nestjs-modules/mailer  >=1.8.1
                    Depends on vulnerable versions of inline-css
                    node_modules/@nestjs-modules/mailer

11 critical severity vulnerabilities

└─┬ @nestjs-modules/mailer@1.9.1
  └─┬ inline-css@4.0.2
    └─┬ extract-css@3.0.1
      └─┬ href-content@2.0.2
        └─┬ remote-content@3.0.1
          └─┬ superagent-proxy@3.0.0
            └─┬ proxy-agent@5.0.0
              └─┬ pac-proxy-agent@5.0.0
                └─┬ pac-resolver@5.0.1
                  └─┬ degenerator@3.0.4
                    └── vm2@3.9.19```
@sswayney
Copy link

There is a finished PR but we need a release #1021

@lsacco-nutreense
Copy link
Author

@sswayney what's the process to get it released? Can I help advocate for that?

@lsacco-nutreense
Copy link
Author

Snyk super unhappy about this version. Any update?

@gterras
Copy link

gterras commented Nov 15, 2023

Workaround before release #1021 (comment)

@juandav juandav closed this as completed Dec 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants