New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vm2 is now deprecated #218
Comments
The suggested alternative |
Would be nice if pac-proxy support could be an optional dependency, it's frustrating to have security alerts go off for code that we are not using. |
Critical severity CVE-2023-37466 vm2 Sandbox Escape vulnerability advisory for |
❓Is my understanding of the exposure to the vm2 vulnerability to users of proxy-agent as of v6.2.2 correct? ❓
|
@robbkidd Correct |
Do we have an ETA for this? |
The `vm2` module has been deprecated and has critical security vulnerabilities. The suggested replacement module `isolated-vm` is not suitable for these packages, since it relies on a C++ binary. Instead, these packages will use the `quickjs-emscripten` module to execute the user code in an isolated QuickJS environment compiled to WASM. This should allow the highest level of sandboxing and will hopefully put an end to this cat and mouse game once and for all. Fixes #218.
Just giving an update, PR #224 seems promising so far. Tests are passing and I'm playing around with a fork of |
This version includes a refactor for proxies specified via PAC files such that it no longer uses the deprecated `vm2` module. See TooTallNate/proxy-agents#218.
This version includes a refactor for proxies specified via PAC files such that it no longer uses the deprecated `vm2` module. See TooTallNate/proxy-agents#218.
It's causing problems where sometimes we can't merge changes due to a problem in a package 4 levels down that's only used for making releases. (vm2, I'm looking at you.) TooTallNate/proxy-agents#218 (comment) release-it/release-it#1024 (comment)
It's causing problems where sometimes we can't merge changes due to a problem in a package 4 levels down that's only used for making releases. (vm2, I'm looking at you.) TooTallNate/proxy-agents#218 (comment) release-it/release-it#1024 (comment)
The author's message on NPM:
There is a full explanation in the readme of the project.
This is throwing a warning on every install of downstream packages link Puppeteer.
The text was updated successfully, but these errors were encountered: