Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

关于依赖npm包vm2的漏洞问题,请处理下? #416

Closed
cander0815 opened this issue Jul 24, 2023 · 2 comments
Closed

关于依赖npm包vm2的漏洞问题,请处理下? #416

cander0815 opened this issue Jul 24, 2023 · 2 comments
Labels
enhancement Anything around developer experience or feature request.

Comments

@cander0815
Copy link

最近npm包vm2爆出安全漏洞,你们现在以来的 "urllib": "^2.34.1",底层有依赖这个包,是否可以升级下这个依赖,去除vm2这个包的漏洞?

漏洞描述: https://paper.seebug.org/2062/
@lihsai0
Copy link
Collaborator

lihsai0 commented Jul 25, 2023

针对这个 vm2 的问题,主要是 PAC 代理的支持有使用到。SDK 本身是没有用到的。只要不主动使用vm2或者 pac-proxy 就没问题,可以放心使用。

关于迟迟没有升级 urllib 是因为当前使用的版本是兼容到 node v6 的,如果升级到 urllib 3.x 那么对 node 的最低兼容版本将会跃升至 14.x。

@lihsai0 lihsai0 added the enhancement Anything around developer experience or feature request. label Jul 25, 2023
@bachue
Copy link
Contributor

bachue commented Jul 31, 2023

该问题已经解决,现在安装不会有警告

@bachue bachue closed this as completed Jul 31, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Anything around developer experience or feature request.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bachue @lihsai0 @cander0815