-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
critical
vm2 security issues
#5643
Comments
Up. |
The |
+1 |
+1 |
+1 |
3 similar comments
+1 |
+1 |
+1 |
Thanks for maintaining |
+1 |
+1 @Unitech |
They are working on it. |
An update was just released to @pm2/agent updating |
+1 |
1 similar comment
+1 |
Snyk is still reporting this as a vulnerability when I do a package.json overrides to pm2/agent@2.0.3, any thoughts? CVE-2023-37466 |
yes. pac-proxy-agent@7.0.0 depends on pac-resolver@7.0.0 depends on degenerator@5.0.1 with no dependency on vm2! |
May I ask how the progress is ?
|
I don't know what you mean.
|
Thank you for your answer. This has already solved my problem |
Same here. For some reason, I thought the pm2 package had to change, and I was waiting for a pm2 release. It looks like just
|
Running |
This is all fixed. Feel free to close this issue. |
|
for anyone using yarn: confirm that vm2 is removed: |
What's going wrong?
GHSA-cchq-frgv-rjh5
Security issue found in vm2, allows remote code execution
How could we reproduce this issue?
POC not yet disclosed.
Supporting information
vm2 is already deprecated. it suggests switching to isolated-vm
https://github.com/patriksimek/vm2#%EF%B8%8F-project-discontinued-%EF%B8%8F
OUTPUT
The text was updated successfully, but these errors were encountered: