Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[email protected]: The library contains critical security issues and should not be used for production! #69

Closed
9mm opened this issue Aug 9, 2023 · 5 comments
Closed

[email protected]: The library contains critical security issues and should not be used for production! #69

9mm opened this issue Aug 9, 2023 · 5 comments

Comments

@9mm
Copy link

9mm commented Aug 9, 2023
edited
Loading

Describe the bug

When installing nuxt-og-image I get this error because of some insane chain of dependencies. I don't know where in the chain the issue should be added, but considering nuxt-og-image is the actual library I care about I'm putting here.

 WARN  deprecated [email protected]: The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider migrating your code to isolated-vm.

Reproduction

No response

System / Nuxt Info

I'm using pnpm to install
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ critical            │ vm2 Sandbox Escape vulnerability                       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ vm2                                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=3.9.19                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ <0.0.0                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > [email protected] > [email protected] >          │
│                     │ [email protected] > [email protected] >               │
│                     │ [email protected] > [email protected] >        │
│                     │ [email protected] > [email protected] >            │
│                     │ [email protected] > [email protected] > [email protected]    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-cchq-frgv-rjh5      │
└─────────────────────┴────────────────────────────────────────────────────────┘
@6ixfalls
Copy link

6ixfalls commented Sep 4, 2023

You can use overrides in package.json for npm or resolutions for yarn - here's a reference:

Concept TooTallNate/superagent-proxy#48 (comment) - This doesn't seem to affect functionality for my use-case.

@harlan-zw
Copy link
Collaborator

To give some context on this error, this is from inline-css dependency which is used to inline styles.

The inline-css implementation won't process fetch's so the vm2 code should never run.

I'd like to replace this dependency with something else but I don't have the capacity at the moment.

@aoor9
Copy link
Contributor

aoor9 commented Sep 13, 2023

I took care of it once, and I can contribute by doing the same to this package.

@harlan-zw
Copy link
Collaborator

I took care of it once, and I can contribute by doing the same to this package.

That would be amazing!

@aoor9 aoor9 mentioned this issue Sep 13, 2023
Merged
@harlan-zw
Copy link
Collaborator

Fixed in 2.0.27 thanks to the great work of @aoor9 🙌

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@9mm @harlan-zw @6ixfalls @aoor9