Critical vulnerability (CVE-2023-37466) reported due to transitive dependency, vm2 which is discontinued.
brandonlenz opened this issue ยท 6 comments
Chore summary
Replace dependencies resulting in the use of vm2. Instead dependencies should consider isolated-vm, recommended by the maintainer who discontinued support of vm2
Tasks
- Replace usages of vm2
- Release new spectral version
We don't use vm2 directly.
vm2 is one of the dependencies used indirectly by proxy-agent, seems like they already have an issue open TooTallNate/proxy-agents#218.
I'll keep an eye out for it and will update proxy-agent as soon as the fixed version is out.
You could just replace proxy-agent
with hpagent
and possibly proxy-from-env
(when needed), both are 0-dependency modules.
I'd be happy to use hpagent
, but the problem with that dependency is that its lowest supported Node.js version is 14, while Spectral still supports 12.
Given Node.js 14 is already EOL (and 16 is soon to reach EOL as well), we'll inevitably drop support for these versions, but as things stand we cannot just make a switch ๐
EDIT: ah, looks like proxy-agent dropped support for Node 12
Upstream dependency proxy-agents
closed the vulnerability in version 6.3.0
TooTallNate/proxy-agents#224
Glad you found a way to use hpagent, that alone will reduce the module size by 5MB+ ๐
Edit: Packagephobia confirms.
:tada: This issue has been resolved in version 6.9.0 :tada:
The release is available on npm package (@latest dist-tag)
Your semantic-release bot ๐ฆ๐