From 5c3a4364c2b430186d314063e37d7b559099ed9f Mon Sep 17 00:00:00 2001 From: Dima Grossman Date: Wed, 30 Aug 2023 17:55:55 +0300 Subject: [PATCH] fix: critical vulnerability in vm2 imported by inline css Following the advice at https://github.com/TooTallNate/superagent-proxy/issues/48 to override the vulnerable vm2 version due to lack of support from superagent proxy library and the parent inline-css library --- package.json | 5 ++ pnpm-lock.yaml | 174 +++++++++++++++++++++++-------------------------- 2 files changed, 87 insertions(+), 92 deletions(-) diff --git a/package.json b/package.json index 6cbca769ffd..b85a59e3f90 100644 --- a/package.json +++ b/package.json @@ -193,5 +193,10 @@ "dependencies": { "nx": "^15.9.2", "tslib": "^2.4.0" + }, + "pnpm": { + "overrides": { + "proxy-agent": "^6.3.0" + } } } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 5271ca026ee..c2d564dc2a6 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -1,5 +1,8 @@ lockfileVersion: 5.4 +overrides: + proxy-agent: ^6.3.0 + importers: .: @@ -21259,6 +21262,10 @@ packages: resolution: {integrity: sha512-XCuKFP5PS55gnMVu3dty8KPatLqUoy/ZYzDzAGCQ8JNFCkLXzmI7vNHCR+XpbZaMWQK/vQubr7PkYq8g470J/A==} engines: {node: '>= 10'} + /@tootallnate/quickjs-emscripten/0.23.0: + resolution: {integrity: sha512-C5Mc6rdnsaJDjO3UpGW/CQTHtCKaYlScZTly4JIu97Jxo/odCiH0ITnDXSJPTOrEKk/ycSZ0AOgTmkDtkOsvIA==} + dev: false + /@trysound/sax/0.2.0: resolution: {integrity: sha512-L7z9BgrNEcYyUYtF+HaEfiS5ebkh9jXqbszz7pC0hRBPaatV0XjSD3+eHrpqFemQfgwiFF0QPIarnIihIDn7OA==} engines: {node: '>=10.13.0'} @@ -24738,6 +24745,11 @@ packages: engines: {node: '>= 0.6'} dev: true + /basic-ftp/5.0.3: + resolution: {integrity: sha512-QHX8HLlncOLpy54mh+k/sWIFd0ThmRqwe9ZjELybGZK+tZ8rUb9VO0saKJUROTbE+KhzDUT7xziGpGrW8Kmd+g==} + engines: {node: '>=10.0.0'} + dev: false + /batch/0.6.1: resolution: {integrity: sha1-3DQxT05nkxgJP8dgJyUl+UvyXBY=} @@ -28112,15 +28124,15 @@ packages: resolution: {integrity: sha512-ND9qDTLc6diwj+Xe5cdAgVTbLVdXbtxTJRXRhli8Mowuaan+0EJOtdqJ0QCHNSSPyoXGx9HX2/VMnKeC34AChA==} dev: true - /data-uri-to-buffer/3.0.1: - resolution: {integrity: sha512-WboRycPNsVw3B3TL559F7kuBUM4d8CgMEvk6xEJlOp7OBPjt6G7z8WMWlD2rOFZLk6OYfFIUGsCOWzcQH9K2og==} - engines: {node: '>= 6'} - dev: false - /data-uri-to-buffer/4.0.1: resolution: {integrity: sha512-0R9ikRb668HB7QDxT1vkpuUBtqc53YyAwMwGeUFKRojY/NWKvdZ+9UYtRfGmhqNbRkTSVpMbmyhXipFFv2cb/A==} engines: {node: '>= 12'} + /data-uri-to-buffer/5.0.1: + resolution: {integrity: sha512-a9l6T1qqDogvvnw0nKlfZzqsyikEBZBClF39V3TFoKhDtGBqHu2HkuomJc02j5zft8zrUaXEuoicLeW54RkzPg==} + engines: {node: '>= 14'} + dev: false + /data-urls/2.0.0: resolution: {integrity: sha512-X5eWTSXO/BJmpdIKCRuKUgSCgAN0OwliVK3yPKbwIWU1Tdw5BRajxlzMidvh+gwko9AfQ9zIj52pzF91Q3YAvQ==} engines: {node: '>=10'} @@ -28429,14 +28441,13 @@ packages: is-descriptor: 1.0.2 isobject: 3.0.1 - /degenerator/3.0.3: - resolution: {integrity: sha512-FTq/qYMeBJACu1gHcXJvzsRBTK6aw5zWCYbEnIOyamOt5UJufWJRQ5XfDb6OuayfJWvmWAHgcZyt43vm/hbj7g==} - engines: {node: '>= 6'} + /degenerator/5.0.1: + resolution: {integrity: sha512-TllpMR/t0M5sqCXfj85i4XaAzxmS5tVA16dqvdkMwGmzI+dXLXnw3J+3Vdv7VKw+ThlTMboK6i9rnZ6Nntj5CQ==} + engines: {node: '>= 14'} dependencies: ast-types: 0.13.4 - escodegen: 1.14.3 + escodegen: 2.1.0 esprima: 4.0.1 - vm2: 3.9.16 dev: false /degit/2.8.4: @@ -29362,6 +29373,7 @@ packages: optionalDependencies: source-map: 0.6.1 dev: false + optional: true /escodegen/2.0.0: resolution: {integrity: sha512-mmHKys/C8BFUGI+MAWNcSYoORYLMdPzjrknd2Vc+bUsjN5bXcr8EhrNB+UTqfL1y3I9c4fw2ihgtMPQLBRiQxw==} @@ -29375,6 +29387,18 @@ packages: optionalDependencies: source-map: 0.6.1 + /escodegen/2.1.0: + resolution: {integrity: sha512-2NlIDTwUWJN0mRPQOdtQBzbUHvdGY2P1VXSyU83Q3xKxM7WHX2Ql8dKq782Q9TgQUNOLEzEYu9bzLNj1q88I5w==} + engines: {node: '>=6.0'} + hasBin: true + dependencies: + esprima: 4.0.1 + estraverse: 5.3.0 + esutils: 2.0.3 + optionalDependencies: + source-map: 0.6.1 + dev: false + /eslint-config-airbnb-base/15.0.0_cshkc2qhcu55b7r3t6b6lfgcxm: resolution: {integrity: sha512-xaX3z4ZZIcFLvh2oUNvcX5oEofXda7giYmuplVxoOg5A7EXJMrUyqRgR+mhDhPK8LZ4PttFOBvCYDbX3sUoUig==} engines: {node: ^10.12.0 || >=12.0.0} @@ -30737,11 +30761,6 @@ packages: requiresBuild: true optional: true - /file-uri-to-path/2.0.0: - resolution: {integrity: sha512-hjPFI8oE/2iQPVe4gbrJ73Pp+Xfub2+WI2LlXDbsaJBwT5wuMh35WNWVYYTpnz895shtwfyutMFLFywpQAFdLg==} - engines: {node: '>= 6'} - dev: false - /filelist/1.0.4: resolution: {integrity: sha512-w1cEuf3S+DrLCQL7ET6kz+gmlJdbq9J7yXCSjK/OZCPA+qEN1WyF4ZAf0YYJa4/shHJra2t/d/r8SV4Ji+x+8Q==} dependencies: @@ -31442,14 +31461,6 @@ packages: requiresBuild: true optional: true - /ftp/0.3.10: - resolution: {integrity: sha512-faFVML1aBx2UoDStmLwv2Wptt4vw5x03xxX172nhA5Y5HBshW5JweqQ2W4xL4dezQTG8inJsuYcpPHHU3X5OTQ==} - engines: {node: '>=0.8.0'} - dependencies: - readable-stream: 1.1.14 - xregexp: 2.0.0 - dev: false - /function-bind/1.1.1: resolution: {integrity: sha512-yIovAzMX49sF8Yl58fSCWJ5svSLuaibPxXQJFLmBObTuCr0Mf1KiPopGM9NiFjiYBCbfaa2Fh6breQ6ANVTI0A==} @@ -31698,16 +31709,14 @@ packages: call-bind: 1.0.2 get-intrinsic: 1.2.0 - /get-uri/3.0.2: - resolution: {integrity: sha512-+5s0SJbGoyiJTZZ2JTpFPLMPSch72KEqGOTvQsBqg0RBWvwhWUSYZFAtz3TPW0GXJuLBJPts1E241iHg+VRfhg==} - engines: {node: '>= 6'} + /get-uri/6.0.1: + resolution: {integrity: sha512-7ZqONUVqaabogsYNWlYj0t3YZaL6dhuEueZXGF+/YVmf6dHmaFg8/6psJKqhx9QykIDKzpGcy2cn4oV4YC7V/Q==} + engines: {node: '>= 14'} dependencies: - '@tootallnate/once': 1.1.2 - data-uri-to-buffer: 3.0.1 + basic-ftp: 5.0.3 + data-uri-to-buffer: 5.0.1 debug: 4.3.4 - file-uri-to-path: 2.0.0 fs-extra: 8.1.0 - ftp: 0.3.10 transitivePeerDependencies: - supports-color dev: false @@ -32946,6 +32955,16 @@ packages: transitivePeerDependencies: - supports-color + /http-proxy-agent/7.0.0: + resolution: {integrity: sha512-+ZT+iBxVUQ1asugqnD6oWoRiS25AkjNfG085dKJGtGxkdwLQrMKU5wJr2bOOFAXzKcTuqq+7fZlTMgG3SRfIYQ==} + engines: {node: '>= 14'} + dependencies: + agent-base: 7.1.0 + debug: 4.3.4 + transitivePeerDependencies: + - supports-color + dev: false + /http-proxy-middleware/2.0.6_@types+express@4.17.17: resolution: {integrity: sha512-ya/UeJ6HVBYxrgYotAZo1KvPWlgB48kUJLDePFeneHsVujFaW5WNj2NgWCAE//B1Dl02BIfYlpNgBy8Kf8Rjmw==} engines: {node: '>=12.0.0'} @@ -37059,7 +37078,6 @@ packages: /lru-cache/7.18.3: resolution: {integrity: sha512-jumlc0BIUrS3qJGgIkWZsyfAM7NCWiBcCDhnd+3NNM5KbBmLTgHVfWBcg6W+rLUsIpzpERPsvwUP7CckAQSOoA==} engines: {node: '>=12'} - dev: true /lru-cache/9.0.1: resolution: {integrity: sha512-C8QsKIN1UIXeOs3iWmiZ1lQY+EnKDojWd37fXy1aSbJvH4iSma1uy2OWuoB3m4SYRli5+CUjDv3Dij5DVoetmg==} @@ -39954,28 +39972,27 @@ packages: p-reduce: 2.1.0 dev: true - /pac-proxy-agent/5.0.0: - resolution: {integrity: sha512-CcFG3ZtnxO8McDigozwE3AqAw15zDvGH+OjXO4kzf7IkEKkQ4gxQ+3sdF50WmhQ4P/bVusXcqNE2S3XrNURwzQ==} - engines: {node: '>= 8'} + /pac-proxy-agent/7.0.0: + resolution: {integrity: sha512-t4tRAMx0uphnZrio0S0Jw9zg3oDbz1zVhQ/Vy18FjLfP1XOLNUEjaVxYCYRI6NS+BsMBXKIzV6cTLOkO9AtywA==} + engines: {node: '>= 14'} dependencies: - '@tootallnate/once': 1.1.2 - agent-base: 6.0.2 + '@tootallnate/quickjs-emscripten': 0.23.0 + agent-base: 7.1.0 debug: 4.3.4 - get-uri: 3.0.2 - http-proxy-agent: 4.0.1 - https-proxy-agent: 5.0.1 - pac-resolver: 5.0.1 - raw-body: 2.5.2 - socks-proxy-agent: 5.0.1 + get-uri: 6.0.1 + http-proxy-agent: 7.0.0 + https-proxy-agent: 7.0.1 + pac-resolver: 7.0.0 + socks-proxy-agent: 8.0.1 transitivePeerDependencies: - supports-color dev: false - /pac-resolver/5.0.1: - resolution: {integrity: sha512-cy7u00ko2KVgBAjuhevqpPeHIkCIqPe1v24cydhWjmeuzaBfmUWFCZJ1iAh5TuVzVZoUzXIW7K8sMYOZ84uZ9Q==} - engines: {node: '>= 8'} + /pac-resolver/7.0.0: + resolution: {integrity: sha512-Fd9lT9vJbHYRACT8OhCbZBbxr6KRSawSovFpy8nDGshaK99S/EBhVIHp9+crhxrsZOuvLpgL1n23iyPg6Rl2hg==} + engines: {node: '>= 14'} dependencies: - degenerator: 3.0.3 + degenerator: 5.0.1 ip: 1.1.8 netmask: 2.0.2 dev: false @@ -42356,18 +42373,18 @@ packages: forwarded: 0.2.0 ipaddr.js: 1.9.1 - /proxy-agent/5.0.0: - resolution: {integrity: sha512-gkH7BkvLVkSfX9Dk27W6TyNOWWZWRilRfk1XxGNWOYJ2TuedAv1yFpCaU9QSBmBe716XOTNpYNOzhysyw8xn7g==} - engines: {node: '>= 8'} + /proxy-agent/6.3.0: + resolution: {integrity: sha512-0LdR757eTj/JfuU7TL2YCuAZnxWXu3tkJbg4Oq3geW/qFNT/32T0sp2HnZ9O0lMR4q3vwAt0+xCA8SR0WAD0og==} + engines: {node: '>= 14'} dependencies: - agent-base: 6.0.2 + agent-base: 7.1.0 debug: 4.3.4 - http-proxy-agent: 4.0.1 - https-proxy-agent: 5.0.1 - lru-cache: 5.1.1 - pac-proxy-agent: 5.0.0 + http-proxy-agent: 7.0.0 + https-proxy-agent: 7.0.1 + lru-cache: 7.18.3 + pac-proxy-agent: 7.0.0 proxy-from-env: 1.1.0 - socks-proxy-agent: 5.0.1 + socks-proxy-agent: 8.0.1 transitivePeerDependencies: - supports-color dev: false @@ -43981,15 +43998,6 @@ packages: mute-stream: 0.0.8 dev: true - /readable-stream/1.1.14: - resolution: {integrity: sha512-+MeVjFf4L44XUkhM1eYbD8fyEsxcV81pqMSR5gblfcLCHfZvbrqy4/qYHE+/R5HoBUT11WV5O08Cr1n3YXkWVQ==} - dependencies: - core-util-is: 1.0.3 - inherits: 2.0.4 - isarray: 0.0.1 - string_decoder: 0.10.31 - dev: false - /readable-stream/2.3.8: resolution: {integrity: sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==} dependencies: @@ -45852,27 +45860,27 @@ packages: uuid: 8.3.2 websocket-driver: 0.7.4 - /socks-proxy-agent/5.0.1: - resolution: {integrity: sha512-vZdmnjb9a2Tz6WEQVIurybSwElwPxMZaIc7PzqbJTrezcKNznv6giT7J7tZDZ1BojVaa1jvO/UiUdhDVB0ACoQ==} - engines: {node: '>= 6'} + /socks-proxy-agent/7.0.0: + resolution: {integrity: sha512-Fgl0YPZ902wEsAyiQ+idGd1A7rSFx/ayC1CQVMw5P+EQx2V0SgpGtf6OKFhVjPflPUl9YMmEOnmfjCdMUsygww==} + engines: {node: '>= 10'} dependencies: agent-base: 6.0.2 debug: 4.3.4 socks: 2.7.1 transitivePeerDependencies: - supports-color - dev: false + dev: true - /socks-proxy-agent/7.0.0: - resolution: {integrity: sha512-Fgl0YPZ902wEsAyiQ+idGd1A7rSFx/ayC1CQVMw5P+EQx2V0SgpGtf6OKFhVjPflPUl9YMmEOnmfjCdMUsygww==} - engines: {node: '>= 10'} + /socks-proxy-agent/8.0.1: + resolution: {integrity: sha512-59EjPbbgg8U3x62hhKOFVAmySQUcfRQ4C7Q/D5sEHnZTQRrQlNKINks44DMR1gwXp0p4LaVIeccX2KHTTcHVqQ==} + engines: {node: '>= 14'} dependencies: - agent-base: 6.0.2 + agent-base: 7.1.0 debug: 4.3.4 socks: 2.7.1 transitivePeerDependencies: - supports-color - dev: true + dev: false /socks/2.7.1: resolution: {integrity: sha512-7maUZy1N7uo6+WVEX6psASxtNlKaNVMlGQKkG/63nEDdLOWNbiUMoLK7X4uYoLhQstau72mLgfEWcXcwsaHbYQ==} @@ -46463,10 +46471,6 @@ packages: define-properties: 1.2.0 es-abstract: 1.21.2 - /string_decoder/0.10.31: - resolution: {integrity: sha512-ev2QzSzWPYmy9GuqfIVildA4OdcGLeFZQrq5ys6RtiuF+RQQiZWr8TZNyAcuVXyQRYfEO+MsoB/1BuQVhOJuoQ==} - dev: false - /string_decoder/1.1.1: resolution: {integrity: sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==} dependencies: @@ -46890,7 +46894,7 @@ packages: superagent: '>= 0.15.4 || 1 || 2 || 3' dependencies: debug: 4.3.4 - proxy-agent: 5.0.0 + proxy-agent: 6.3.0 superagent: 8.0.9 transitivePeerDependencies: - supports-color @@ -49361,16 +49365,6 @@ packages: /vm-browserify/1.1.2: resolution: {integrity: sha512-2ham8XPWTONajOR0ohOKOHXkm3+gaBmGut3SRuu75xLd/RRaY6vqgh8NBYYk7+RW3u5AtzPQZG8F10LHkl0lAQ==} - /vm2/3.9.16: - resolution: {integrity: sha512-3T9LscojNTxdOyG+e8gFeyBXkMlOBYDoF6dqZbj+MPVHi9x10UfiTAJIobuchRCp3QvC+inybTbMJIUrLsig0w==} - engines: {node: '>=6.0'} - deprecated: The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider migrating your code to isolated-vm. - hasBin: true - dependencies: - acorn: 8.10.0 - acorn-walk: 8.2.0 - dev: false - /void-elements/2.0.1: resolution: {integrity: sha512-qZKX4RnBzH2ugr8Lxa7x+0V6XD9Sb/ouARtiasEQCHB1EVU4NXtmHsDDrx1dO4ne5fc3J6EW05BP1Dl0z0iung==} engines: {node: '>=0.10.0'} @@ -50833,10 +50827,6 @@ packages: engines: {node: '>=0.4.0'} dev: false - /xregexp/2.0.0: - resolution: {integrity: sha1-UqY+VsoLhKfzpfPWGHLxJq16WUM=} - dev: false - /xtend/4.0.2: resolution: {integrity: sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==} engines: {node: '>=0.4'}