stoplightio/spectral

Critical vulnerability (CVE-2023-37466) reported due to transitive dependency, vm2 which is discontinued.

brandonlenz opened this issue ยท 6 comments

Chore summary

CVE-2023-37466

Replace dependencies resulting in the use of vm2. Instead dependencies should consider isolated-vm, recommended by the maintainer who discontinued support of vm2

Tasks

  • Replace usages of vm2
  • Release new spectral version
P0lip commented

We don't use vm2 directly.
vm2 is one of the dependencies used indirectly by proxy-agent, seems like they already have an issue open TooTallNate/proxy-agents#218.
I'll keep an eye out for it and will update proxy-agent as soon as the fixed version is out.

You could just replace proxy-agent with hpagent and possibly proxy-from-env (when needed), both are 0-dependency modules.

P0lip commented

I'd be happy to use hpagent, but the problem with that dependency is that its lowest supported Node.js version is 14, while Spectral still supports 12.
Given Node.js 14 is already EOL (and 16 is soon to reach EOL as well), we'll inevitably drop support for these versions, but as things stand we cannot just make a switch ๐Ÿ˜ž

EDIT: ah, looks like proxy-agent dropped support for Node 12

Upstream dependency proxy-agents closed the vulnerability in version 6.3.0
TooTallNate/proxy-agents#224

Glad you found a way to use hpagent, that alone will reduce the module size by 5MB+ ๐Ÿ‘

Edit: Packagephobia confirms.

:tada: This issue has been resolved in version 6.9.0 :tada:

The release is available on npm package (@latest dist-tag)

Your semantic-release bot ๐Ÿ“ฆ๐Ÿš€