Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vm2 is now deprecated #218

Closed
harryaswan opened this issue Jul 11, 2023 · 7 comments · Fixed by #224
Closed

vm2 is now deprecated #218

harryaswan opened this issue Jul 11, 2023 · 7 comments · Fixed by #224

Comments

@harryaswan
Copy link

The author's message on NPM:

The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider migrating your code to isolated-vm.

There is a full explanation in the readme of the project.

This is throwing a warning on every install of downstream packages link Puppeteer.
@OrKoN OrKoN mentioned this issue Jul 12, 2023
Closed
@TooTallNate
Copy link
Owner

:ack:

The suggested alternative isolated-vm is probably a non-starter for this project, since it requires a C++ module, which I would like to avoid. I'm considering using QuickJS compiled to WASM instead.

@wcbastian
Copy link

Would be nice if pac-proxy support could be an optional dependency, it's frustrating to have security alerts go off for code that we are not using.

@sfc-gh-dszmolka
Copy link

Critical severity CVE-2023-37466 vm2 Sandbox Escape vulnerability advisory for vm2

@sfc-gh-dszmolka sfc-gh-dszmolka mentioned this issue Jul 14, 2023
Closed
@egaudry egaudry mentioned this issue Jul 14, 2023
Open
@bgowers bgowers mentioned this issue Jul 14, 2023
Closed
@gorner gorner mentioned this issue Jul 14, 2023
Closed
@P0lip P0lip mentioned this issue Jul 14, 2023
Closed
2 tasks
@Southclaws Southclaws mentioned this issue Jul 14, 2023
Closed
@lukehsiao lukehsiao mentioned this issue Jul 14, 2023
Closed
1 task
@steveluscher steveluscher mentioned this issue Jul 14, 2023
Closed
@robbkidd robbkidd mentioned this issue Jul 14, 2023
Closed
@robbkidd
Copy link

❓Is my understanding of the exposure to the vm2 vulnerability to users of proxy-agent as of v6.2.2 correct? ❓

  • JS runtime with proxy-agent loaded will have pac-proxy-agent loaded and therefore vm2.
  • HTTP_PROXY/HTTPS_PROXY are not set: ✅
    • the pac-proxy-agent codepaths are not exercised and therefore vm2 is never used.
  • HTTP_PROXY/HTTPS_PROXY are set, but values do not start with pac*: ✅
    • the pac-proxy-agent codepaths are not exercised and therefore vm2 is never used.
  • HTTP_PROXY/HTTPS_PROXY are set to a URL starting with pac* pointing to a proxy auto-config file: 🤔
    • pac-proxy-agent is exercised, vm2 is used, and the code injection would have to be in the contents of the PAC file retrieved?

@TooTallNate
Copy link
Owner

@robbkidd Correct

@ajaykarthikr ajaykarthikr mentioned this issue Jul 17, 2023
Closed
@cchampou cchampou mentioned this issue Jul 17, 2023
Closed
@spacejamjim spacejamjim mentioned this issue Jul 17, 2023
Closed
@naveinaustin
Copy link

Do we have an ETA for this?

@zymotik zymotik mentioned this issue Jul 17, 2023
Closed
@Southclaws Southclaws mentioned this issue Jul 17, 2023
Closed
TooTallNate added a commit that referenced this issue Jul 18, 2023
@TooTallNate
Use quickjs-emscripten instead of vm2 to execute PAC file code
67722c5 
The `vm2` module has been deprecated and has critical security
vulnerabilities. The suggested replacement module `isolated-vm`
is not suitable for these packages, since it relies on a C++ binary.

Instead, these packages will use the `quickjs-emscripten` module to
execute the user code in an isolated QuickJS environment compiled to
WASM. This should allow the highest level of sandboxing and will
hopefully put an end to this cat and mouse game once and for all.

Fixes #218.
@TooTallNate TooTallNate mentioned this issue Jul 18, 2023
Merged
@patzick patzick mentioned this issue Jul 18, 2023
Merged
@TooTallNate
Copy link
Owner

Just giving an update, PR #224 seems promising so far. Tests are passing and I'm playing around with a fork of quickjs-emscripten that is stripped down of unnecessary features so that the install size of these packages doesn't bloat unnecessarily.

TooTallNate added a commit to vercel/vercel that referenced this issue Jul 18, 2023
@TooTallNate
[cli] Update proxy-agent to v6.3.0
7b6ed43 
This version includes a refactor for proxies specified via PAC files
such that it no longer uses the deprecated `vm2` module.

See TooTallNate/proxy-agents#218.
@TooTallNate TooTallNate mentioned this issue Jul 18, 2023
Merged
kodiakhq bot pushed a commit to vercel/vercel that referenced this issue Jul 18, 2023
@TooTallNate
[cli] Update proxy-agent to v6.3.0 (#10226)
fdf86fd 
This version includes a refactor for proxies specified via PAC files such that it no longer uses the deprecated `vm2` module.

See TooTallNate/proxy-agents#218.
arafel added a commit to arafel/CaptchaJs that referenced this issue Jul 19, 2023
@arafel
Disable "yarn audit" on 'ci' task.
0bc9a87 
It's causing problems where sometimes we can't merge changes due to a
problem in a package 4 levels down that's only used for making releases.

(vm2, I'm looking at you.)

TooTallNate/proxy-agents#218 (comment)
release-it/release-it#1024 (comment)
@arafel arafel mentioned this issue Jul 19, 2023
Merged
arafel added a commit to arafel/CaptchaJs that referenced this issue Jul 19, 2023
@arafel
Disable "yarn audit" on 'ci' task.
7b23e94 
It's causing problems where sometimes we can't merge changes due to a
problem in a package 4 levels down that's only used for making releases.

(vm2, I'm looking at you.)

TooTallNate/proxy-agents#218 (comment)
release-it/release-it#1024 (comment)
@AnWeber AnWeber mentioned this issue Jul 22, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use quickjs-emscripten instead of vm2 to execute PAC file code TooTallNate/proxy-agents
6 participants
@TooTallNate @harryaswan @robbkidd @naveinaustin @wcbastian @sfc-gh-dszmolka