A dependency of this repository contains a critical VM escape vulnerability

Question

A dependency of this repository contains a critical VM escape vulnerability

Southclaws opened this issue 2 years ago · 5 comments

Details here:

Dependency tree:

ibm-openapi-validator
@stoplight/spectral-cli
proxy-agent
pac-proxy-agent
pac-resolver
degenerator
vm2

Vulnerable code does not seem to be used at any point in the dependency stack, for reference this is where it's called: https://github.com/TooTallNate/proxy-agents/blob/95729e1563fb4d6edcb7287bdd7e1a8126016da4/packages/pac-resolver/src/index.ts#L48-L53

Related issues:

Answer 1 · 2023-07-18T17:54:12.000Z

@Southclaws Thanks for opening the issue. We are waiting a bit in hopes that the @stoplight/spectral-cli package will have a new release soon which addresses this vulnerability. Alternatively, if one of its transitive dependencies (proxy-agent, pac-proxy-agent, etc.) publishes a new version that no longer uses vm2, we could potentially use "overrides" in package.json to force the use of a new transitive dependency by spectral-cli.
Rest assured, we're keeping an eye on this situation.

Answer 2 · 2023-07-18T19:17:27.000Z

It turns out that a new version of proxy-agent (direct dependency of spectral-cli) is available today that removes the "vm2" dependency altogether.

Answer 3 · 2023-08-03T16:42:33.000Z

🎉 This issue has been resolved in version 1.2.0 🎉

The release is available on npm package (@latest dist-tag)

Your semantic-release bot 📦🚀

Answer 4 · 2023-08-03T16:43:44.000Z

🎉 This issue has been resolved in version 1.2.0 🎉

The release is available on npm package (@latest dist-tag)

Your semantic-release bot 📦🚀

Answer 5 · 2023-08-11T16:15:57.000Z

🎉 This issue has been resolved in version 1.2.0 🎉

The release is available on npm package (@latest dist-tag)

Your semantic-release bot 📦🚀