Deps have critical security issues

[virbyte]

WARN  deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
 WARN  deprecated vm2@3.9.19: The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider migrating your code to isolated-vm.

[boxexchanger]

Hi, RCE security issue!, Overview
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) such that handler sanitization can be bypassed, allowing attackers to escape the sandbox.

Note:

According to the maintainer, the security issue cannot be properly addressed and the library will be discontinued.

SNYK: https://security.snyk.io/vuln/SNYK-JS-VM2-5772825

[GnipN]

For my case:

1. new install pm2 then got warning as your posted:
   : sudo npm install pm2 -g

npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated vm2@3.9.19: The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider migrating your code to isolated-vm.

2. update uuid:
   : npm update uuid

up to date, audited 59 packages in 919ms
8 packages are looking for funding
run npm fund for details
found 0 vulnerabilities

3. recheck vulnerabilities:
   : npm audit

found 0 vulnerabilities

---

Hope this could help you guys ;)

[OIRNOIR]

For my case:

1. new install pm2 then got warning as your posted:
   : sudo npm install pm2 -g

npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated vm2@3.9.19: The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider migrating your code to isolated-vm.

2. update uuid:
   : npm update uuid

up to date, audited 59 packages in 919ms 8 packages are looking for funding run npm fund for details found 0 vulnerabilities

3. recheck vulnerabilities:
   : npm audit

found 0 vulnerabilities

Hope this could help you guys ;)

This only says 0 vulnerabilities because npm audit does not check globally installed packages. Try installing pm2 to a local directory instead.

[mterrel]

The proxy-agent dependency just released a new version 6.3.0 that no longer depends on vm2: https://github.com/TooTallNate/proxy-agents/releases

[OIRNOIR]

The proxy-agent dependency just released a new version 6.3.0 that no longer depends on vm2: https://github.com/TooTallNate/proxy-agents/releases

Awesome! We can just upgrade proxy-agent to 6.3.0.

[gabrielenosso]

vm2 critical security issue - same as here: #5643
Need this fixed ASAP for CI/CD Pipeline which recognizes this as a Critical risk

[boxexchanger]

@Unitech any updates? When it will be fixed?

[OIRNOIR]

This is no longer an issue. It can be closed. @virbyte