Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Critical vulnerability (CVE-2023-37466) reported due to transitive dependency, vm2 which is discontinued. #2510

Closed
2 tasks
brandonlenz opened this issue Jul 14, 2023 · 6 comments · Fixed by #2513
Closed
2 tasks

Critical vulnerability (CVE-2023-37466) reported due to transitive dependency, vm2 which is discontinued. #2510

brandonlenz opened this issue Jul 14, 2023 · 6 comments · Fixed by #2513
Assignees
@P0lip
Labels
chore released

Comments

@brandonlenz
Copy link

Chore summary

CVE-2023-37466

Replace dependencies resulting in the use of vm2. Instead dependencies should consider isolated-vm, recommended by the maintainer who discontinued support of vm2

Tasks

  • Replace usages of vm2
  • Release new spectral version
@brandonlenz brandonlenz changed the title Critical vulnerability. (CVE-2023-37466) reported due to transitive dependency, vm2 which is discontinued. Critical vulnerability (CVE-2023-37466) reported due to transitive dependency, vm2 which is discontinued. Jul 14, 2023
@P0lip
Copy link
Contributor

P0lip commented Jul 14, 2023

We don't use vm2 directly.
vm2 is one of the dependencies used indirectly by proxy-agent, seems like they already have an issue open TooTallNate/proxy-agents#218.
I'll keep an eye out for it and will update proxy-agent as soon as the fixed version is out.

@Southclaws Southclaws mentioned this issue Jul 14, 2023
Closed
@silverwind
Copy link

silverwind commented Jul 17, 2023
edited
Loading

You could just replace proxy-agent with hpagent and possibly proxy-from-env (when needed), both are 0-dependency modules.

@P0lip
Copy link
Contributor

P0lip commented Jul 18, 2023
edited
Loading

I'd be happy to use hpagent, but the problem with that dependency is that its lowest supported Node.js version is 14, while Spectral still supports 12.
Given Node.js 14 is already EOL (and 16 is soon to reach EOL as well), we'll inevitably drop support for these versions, but as things stand we cannot just make a switch 😞

EDIT: ah, looks like proxy-agent dropped support for Node 12

@Southclaws Southclaws mentioned this issue Jul 18, 2023
Closed
@hinnerk-optibus
Copy link

Upstream dependency proxy-agents closed the vulnerability in version 6.3.0
TooTallNate/proxy-agents#224

@P0lip P0lip mentioned this issue Jul 24, 2023
Merged
4 tasks
@P0lip P0lip self-assigned this Jul 24, 2023
@silverwind
Copy link

silverwind commented Jul 25, 2023
edited
Loading

Glad you found a way to use hpagent, that alone will reduce the module size by 5MB+ 👍

Edit: Packagephobia confirms.

@stoplight-bot
Copy link
Collaborator

🎉 This issue has been resolved in version 6.9.0 🎉

The release is available on npm package (@latest dist-tag)

Your semantic-release bot 📦🚀

@stoplightio stoplightio deleted a comment from stoplight-bot Jul 26, 2023
@P0lip P0lip mentioned this issue Aug 1, 2023
Closed
@mattias-persson mattias-persson mentioned this issue Aug 9, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@P0lip P0lip

Labels
chore released
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(cli): use hpagent in favor of proxy-agent stoplightio/spectral
5 participants
@silverwind @P0lip @brandonlenz @stoplight-bot @hinnerk-optibus