Vulnerability: vm2 via proxy-agent

[gorner]

Raising for visibility in case this plugin's maintainers want to investigate their own solutions, or if they can clarify whether any vm2 code is actually reachable using this library. Given the timeframe before PoC disclosure, it might be OK to wait-and-see a few days before taking drastic steps.

• Critical vulnerability has been raised for vm2: GHSA-cchq-frgv-rjh5 with PoC to be disclosed on August 8
• The maintainers of vm2 have decided they can no longer justify maintaining the library and have therefore discontinued it
• ember-cli-deploy-s3 depends on proxy-agent which, via a series of libraries under the same monorepo (ending with degenerator), depends on vm2
• The maintainer of proxy-agent and the other intermediate libs seems to be investigating a solution but the timeline is unclear.

[gorner]

Looks like proxy-agent has been updated to remove the vulnerability in v6.3.0 with no indication of backports (this plugin current depends on v5.0.0).