Skip to content

Fix: Eliminate vm2 security vulnerability#358

Merged
bexter89 merged 2 commits into
masterfrom
fix/didi/proxy-agent-vm2-vulnerability
Jan 27, 2026
Merged

Fix: Eliminate vm2 security vulnerability#358
bexter89 merged 2 commits into
masterfrom
fix/didi/proxy-agent-vm2-vulnerability

Conversation

@aditiohri
Copy link
Copy Markdown
Contributor

@aditiohri aditiohri commented Jan 27, 2026
edited
Loading

Summary

  • Updated `proxy-agent` from `6.2.1` to `6.5.0` to eliminate the deprecated and vulnerable `vm2` package from the dependency tree
  • The newer version uses `@tootallnate/quickjs-emscripten` as a safe alternative for JavaScript sandboxing
  • Updated GitHub Actions workflow from v2 to v4 to fix persistent cache service errors

Security Impact

This update removes all `vm2` dependencies, eliminating multiple critical CVEs:

Dependency Chain Changes

Before (v6.2.1)

```
proxy-agent@6.2.1
└─> pac-proxy-agent@6.0.3
└─> pac-resolver@6.0.1
└─> degenerator@4.0.2
└─> vm2@3.9.17 ⚠️ DEPRECATED & VULNERABLE
```

After (v6.5.0)

```
proxy-agent@6.5.0
└─> pac-proxy-agent@7.2.0
└─> pac-resolver@7.0.1
└─> degenerator@5.0.1
└─> @tootallnate/quickjs-emscripten@0.23.0 ✅ SAFE
```

Changes Made

  1. Security fix: Updated `proxy-agent` dependency from 6.2.1 to 6.5.0
  2. CI improvement: Updated GitHub Actions (checkout and setup-node) from v2 to v4 to resolve cache service errors

Test Plan

  • All 62 existing tests pass on Node 18.x and 20.x
  • Verified `vm2` is completely removed from dependency tree
  • Verified `@tootallnate/quickjs-emscripten` is now used as the safe sandbox
  • No breaking changes detected
  • CI workflow now runs successfully with updated actions

Additional Context

The `vm2` package has been officially deprecated with the warning: "The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued."

This fix resolves compliance issues for all spandx users, even though spandx is typically used as a devDependency, as the vulnerability can be flagged by security scanners in production containers.

🤖 Generated with [Claude Code](https://claude.com/claude-code\)

Aditi Ohri and others added 2 commits January 27, 2026 14:32
@claude
fix: update proxy-agent to eliminate vm2 security vulnerability
5016d16 
Update proxy-agent from 6.2.1 to 6.5.0 to remove the deprecated and vulnerable vm2 package from the dependency tree. The newer version uses @tootallnate/quickjs-emscripten as a safe alternative for JavaScript sandboxing.

This eliminates multiple critical CVEs (CVSS 9.8-10.0):
- CVE-2023-29017, CVE-2023-30547, CVE-2023-37466
- CVE-2023-37903, CVE-2022-36067

All tests pass with no breaking changes.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@claude
ci: update GitHub Actions to v4 to fix cache issues
32db4b7 
Updated actions/checkout and actions/setup-node from v2 to v4 to resolve
persistent yarn cache service errors (400 responses) in CI.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@bexter89 bexter89 merged commit c1d79de into master Jan 27, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aditiohri @bexter89