Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Issue with Dependency vm2 #295

Closed
ahester-incomm opened this issue Jul 17, 2023 · 6 comments
Closed

Security Issue with Dependency vm2 #295

ahester-incomm opened this issue Jul 17, 2023 · 6 comments

Comments

@ahester-incomm
Copy link

ahester-incomm commented Jul 17, 2023
edited

According to the maintainer, the security issue cannot be properly addressed and the library will be discontinued.

From snyk.

Also see GitHub issue.
@deanro
Copy link
Contributor

deanro commented Sep 19, 2023
edited

I haven't used yarn before but as far as I can see it looks like vm2 is being brought in ultimately via the version of proxy-agent dependency that is being used. I did a local test to upgrade proxy-agent to the latest version and vm2 has gone away and as far as I can see everything still works. However I could be missing something as I haven't had reason to install yarn before tonight :-)

@deanro deanro mentioned this issue Sep 20, 2023
Merged
@kevinappen
Copy link

Thanks @deanro for looking at this. I'm just wondering what is needed to have your pull request merged into the main branch, and if there's anything we (the public) can do to help?

@ahester-incomm
Copy link
Author

@kevinappen This repository is in need of maintainers. One of the open issues (#300) is seeking maintainers.

@deanro
Copy link
Contributor

deanro commented Nov 29, 2023

I tested it locally and everything looked good. I think someone just needs to approve and merge it.

@kevinappen
Copy link

@kevinappen This repository is in need of maintainers. One of the open issues (#300) is seeking maintainers.

@ahester-incomm yeah, I realise that, and I didn't mean to hassle anyone unduly. I appreciate it's a voluntary thing, and everyone has other things that take precedence. I myself don't have any Node experience at all, so couldn't help directly, but I thought some people had recently put their hands up to take on the maintenance so that's why I asked if we, the general public, could help at all.

@ahester-incomm
Copy link
Author

@kevinappen This repository is in need of maintainers. One of the open issues (#300) is seeking maintainers.

@ahester-incomm yeah, I realise that, and I didn't mean to hassle anyone unduly. I appreciate it's a voluntary thing, and everyone has other things that take precedence. I myself don't have any Node experience at all, so couldn't help directly, but I thought some people had recently put their hands up to take on the maintenance so that's why I asked if we, the general public, could help at all.

I guess we can start by commenting on this issue more so it gets more attention.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kevinappen @deanro @Naicigam28 @ahester-incomm