Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need to replace vulnerable vm2 library #450

Open
wz2b opened this issue Mar 5, 2024 · 4 comments
Open

Need to replace vulnerable vm2 library #450

wz2b opened this issue Mar 5, 2024 · 4 comments
Assignees
@biancode
Labels
dependencies Pull requests that update a dependency file problem pull request welcome send your pull request and contribute to the project question sponsors are welcome https://plus4nodered.com/

Comments

@wz2b
Copy link

wz2b commented Mar 5, 2024

Which node-red-contrib-modbus version are you using?

5.30.0

What happened?

When you install node-red-contrib-modbus npm reports:

The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider migrating your code to isolated-vm.

Server

Modbus-Server Node

How can this be reproduced?

Install the package from the command line (using npm) and watch the output

What did you expect to happen?

I expect to be able to install the package without any severity=critical security warnings

Other Information

This was reported previously but closed by the bot due to inactivity. There are previous CVEs out there that all say the problem is with vm2 3.9.18 but this is installing 3.9.19 and I still get the warning. https://www.npmjs.com/package/vm2 suggests migrating from vm2 to isolated-vm
@wz2b wz2b added the bug label Mar 5, 2024
@biancode
Copy link
Contributor

biancode commented Mar 22, 2024
edited
Loading

Feel free to support us to solve all that issues see https://p4nr.com/ !

@biancode biancode added question problem sponsors are welcome https://plus4nodered.com/ pull request welcome send your pull request and contribute to the project dependencies Pull requests that update a dependency file and removed bug labels Mar 22, 2024
@biancode biancode self-assigned this Mar 22, 2024
@biancode
Copy link
Contributor

A switch over to the node-red used vm is possible, but has some issues to test if vm can do the same work.

@S474N
Copy link

S474N commented May 4, 2024

Still deprecated vm2:

2024-05-04T18:07:08.610Z Install : node-red-contrib-modbus 5.31.0

2024-05-04T18:07:09.942Z npm install --no-audit --no-update-notifier --no-fund --save --save-prefix=~ --production --engine-strict node-red-contrib-modbus@5.31.0
2024-05-04T18:07:10.138Z [err] npm
2024-05-04T18:07:10.138Z [err]  WARN config production Use `--omit=dev` instead.
2024-05-04T18:07:15.168Z [err] npm WARN deprecated vm2@3.9.19: The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider migrating your code to isolated-vm.
2024-05-04T18:07:16.025Z [out] 
2024-05-04T18:07:16.025Z [out] added 34 packages in 6s
2024-05-04T18:07:16.031Z rc=0

@biancode
Copy link
Contributor

#461 - comes soon with 5.40.+

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@biancode biancode

Labels
dependencies Pull requests that update a dependency file problem pull request welcome send your pull request and contribute to the project question sponsors are welcome https://plus4nodered.com/
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wz2b @biancode @S474N