Latest versions of proxy-agent upgraded because of vm2 vulnerability are incompatible here #48
Comments
|
|
|
@TooTallNate You seem to be listed as the only collaborator in the npm page so I'll direct this at you, any chance of a review of this PR or an independent update? I'm wondering if we should consider this library unsupported at this point. I suspect I speak for others when we say that we appreciate your other work on the proxy-agent -> .. -> degenerator stack but other dependencies referencing this lib hit kind of a dead end (without more drastic measures like migrating off this lib entirely). |
|
As a workaround you can use the Seems to work fine for me. You may need to delete your |
|
Thanks @gterras but my experience has been that the overrides does not cascade. So if I create a library that points at superagent-proxy using overrides and someone uses my library they will still have the security issue (e.g. other lib -> my lib -> superagent-proxy === audit failure). Telling callers of my lib to apply overrides to their package is an unsatisfying solution. The package.json docs are fairly vague on this point so it was discovered through trial and error. |
Ha yes it might be more complex or even impossible regarding lib publishing. |
|
People Who Know Things, I could use eyes and help on #50 where I think we can see the upgrade blockers more clearly now. |
|
My experience with the overrides workaround: ✅ it will install the updated version for proxy-agents to node_modules The superagent agent will not be configured to perform comms through a proxy. |
|
Hi @TooTallNate, so will there be a newer version for this package or not ? Could you please clarify it ? |
Following the advice at TooTallNate/superagent-proxy#48 to override the vulnerable vm2 version due to lack of support from superagent proxy library and the parent inline-css library
* feat(worker): remove performance svc as it was temporary * feat: add types * feat: non existent id field * refactor: minor naming changes * fix: make notification center mobile responsive Co-authored-by: aayushdura <[email protected]> * fix: toggle closing notification center on iframe embed Co-authored-by: Jonathan4github <[email protected]> * feat: initial types and usecase changes for adding identifier to layout * refactor: use get functions instead of result field of bulk * test: update layout tests to include identifier * test: update promote layout test to include identifier * test: update find deleted layout test to include identifier * feat: ui adjustment and form errors * fix: duplicates in property descriptions * feat: add override layout in trigger functionality * docs: override layout in trigger doc section * feat: implemented get active integrations status * feat: Implemented on UI * feat: added test * feat: implemented tooltip * fix: respone dto * fix: so swagger json validates * feat: migration script to add identifier to layouts * fix: sidebar intercepting workflow editor * feat: add swagger validation in ci * fix: try to force ci error * feat(analytics - delete): add analytics to deleting noficitions * remove adding analytics in inbound mail * refactor: better filter for not topic * fix: ci for api * refactor: test of swagger json * refactor: better filter for not topic * fix: running api service in ci * fix: remove comment out of swagger type * fix: after adding of ci action * feat: Update ReadMe to include Java SDK link * feat(ci): reuse instructions to tidy up pipelines * feat: inline all css for html emails * fix: add comment about inline css option * feat: merge two redis calls in api key authenticate * feat: add organization id index in integration * feat(ci): separate the swagger validation in own runner plus improvement * fix: so add a provider is not displayed in empty state * fix(ci): indenting action * fix: add missing sharable url in the new integration form * feat: primary provider migration script * fix: cypress tests * remove time * fix: fix so logic to show add a provider button * fix: tests * fix: tests * feat: update after pr comments * feat: tenant support node sdk * feat(ci): reusable action to run backend (api, worker) for clients * fix(ci): proper settings for secrets for run backend * refactor: removed properties * feat: update after pr comments * feat: reduce count 1000 to the db * feat(wip): add tenant identifier override * feat(wip): missing usecases in module * feat(wip): add tenant to content compilation for email and sms * feat(types): create enum for the web socket events * Changed the sidebar position of Python Changed the sidebar position of Python to 12 * add redis password * fix: indentation * feat: add invalidate after user update * feat(wip): change reserved name * feat: execution detail no write concern * feat: refactored deprecated flag * feat: update after pr comments * feat: fix logger error order (cherry picked from commit c27c1a0) * fix: typo (cherry picked from commit 8e29655) * chore: fix conditional statement nitpick Co-authored-by: Jonathan4github <[email protected]> * fix: get user data input params * feat: process tenant and validation * feat: remove actor for now * fix: failing test * ci: test * fix: trigger web build * fix: add redis cluster to setup * fix: update ws payload data interface * feat: refactor add job logs * feat: after pr comments * feat: add product lead component * feat: add product lead banner analytics * feat: typing variables * feat: validate nested * refactor: after pr comments * fix(web): delete primary integr. - show the select primary modal when there are active integrations * fix: segment tracking name * fix: invalid import process tenant * fix: cypress test * fix: missing session * fix: cypress json error * feat: move tabs state to routes * feat: move branding tabs to routes * feat: remove parallel cypress containers * fix: tests * fix: remove invalid test * fix: update netcore logo Co-authored-by: aayushdura <[email protected]> * feat: upgrade node mailjet version * fix: mailjet tests * feat: show providers on workflow nodes * feat: updated icons for template store * fix: pr suggestions * feat: consider novu provider limits while processing active integrations * fix: tests * refactor: remove logs * fix: remove unused interfaces * make pr recomendations * fix: after pr comments * feat: add check in url fallback * chore: upgrade fb admin * chore: upgrade api nestjs * chore: upgrade webhook nestjs * chore: upgrade worker nestjs * chore: upgrade ws nestjs * chore: upgrade application generic * chore: upgrade lock file * chore: upgrade newrelic agent * fix(api): clear the primary and priority fields when novu integration is disabled * fix: test upgrades for versions * remove padding in notification wrapper Co-authored-by: aayushdura <[email protected]> * correct unit test for queuename * chore: update dependencies for nestjs * chore(deps-dev): bump vite from 4.2.1 to 4.2.3 Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 4.2.1 to 4.2.3. - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v4.2.3/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v4.2.3/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-type: direct:development ... Signed-off-by: dependabot[bot] <[email protected]> * chore: update lock file * fix: critical vulnerability in vm2 imported by inline css Following the advice at TooTallNate/superagent-proxy#48 to override the vulnerable vm2 version due to lack of support from superagent proxy library and the parent inline-css library * fix: lock file * chore: remove unused packages * Revert "Update Queue metrics accuracy" * chore: upgrade socket packages * chore: fix vulnerable nth-check package * chore: update package * chore: update lock file * fix: make integration identifier optional * feat: add tags for workflow * chore(web): fixed failing e2e test for the integrations list modal * chore(release): publish - ci skip --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: p-fernandez <[email protected]> Co-authored-by: ainouzgali <[email protected]> Co-authored-by: gitstart <[email protected]> Co-authored-by: aayushdura <[email protected]> Co-authored-by: Jonathan4github <[email protected]> Co-authored-by: Biswajeet Das <[email protected]> Co-authored-by: David Söderberg <[email protected]> Co-authored-by: Pablo Fernández <[email protected]> Co-authored-by: David Söderberg <[email protected]> Co-authored-by: Zac Clifton <[email protected]> Co-authored-by: mayorjay <[email protected]> Co-authored-by: Gosha <[email protected]> Co-authored-by: Joseph Olugbohunmi <[email protected]> Co-authored-by: Zac Clifton <[email protected]> Co-authored-by: George Djabarov <[email protected]> Co-authored-by: B C SAMRUDH <[email protected]> Co-authored-by: DevStation\Harrison A. Hammond <[email protected]> Co-authored-by: Pawan Jain <[email protected]> Co-authored-by: Paweł <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Paweł Tymczuk <[email protected]>
superagent-proxy v3 cannot be used with proxy-agent v6 because of breaking changes in the exports, at least.
superagent-proxy/index.js
Line 6 in ce624a1
https://github.com/TooTallNate/proxy-agents/tree/main/packages/proxy-agent
Perhaps that is what has been declared, but I'm not sure how to untangle this from the supposedly necessary proxy-agent upgrades for vm2.
Can there please be a v4 released that correctly imports proxyAgent v6?
The text was updated successfully, but these errors were encountered: