Security violation in `proxy-agent` dependency
mHubbell opened this issue · comments
Bug report for Cloudinary NPM SDK
Before proceeding, please update to latest version and test if the issue persists
Describe the bug in a sentence or two.
snyk reports a "critical severity" security issue though proxy-agent@5.0.0 › pac-proxy-agent@5.0.0 › pac-resolver@5.0.0 › degenerator@3.0.2 › vm2@3.9.9 "vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules" This will cause many build systems (including ours) to fail builds until resolved
Steps to reproduce
Run snyk test on your repository
Hi,
Thanks for reporting this - I've checked with the maintainers of this SDK and we'll be updating the SDK soon to update the dependencies; we'll let you know here once the fix has been merged and a new release made
Hi,
We're working on a release to the SDK to update the dependencies which should be ready in a few days' time.
In the meantime, you may find that if you refresh all your project's dependencies via npm, some of the dependencies of our SDK will be implicitly updated to newer, non-affected versions
-Stephen
Hi there, I am facing the same issue on a private repo that I am working on. I wanted to check if there is any update on the fix.
Thanks!
Hi @avarma94!
I ran snyk test both in the repo of the sdk and in a project that has the sdk listed as a dependency. I don't have any high or critical security vulnerabilities in the report.
Please provide versions of packages that you're using locally:
- for node:
node --version - for snyk:
snyk --version - for cloudinary's sdk: check your package.json
Strange, I've came to the same conclusion as @mHubbell but by manual review. The strange this indeed is that, when creating an empty npm project only adding cloudinary, I cannot get the same vulnability...
We're seeing the vulnerability initially posted in this ticket when we run pnpm audit
@jamespohalloran Can you share which npm, snyk and sdk version you are using?
@jamespohalloran Can you share which npm, snyk and sdk version you are using?
@PixelCook
cloudinary 1.34.0
https://github.com/tinacms/tinacms/blob/main/packages/next-tinacms-cloudinary/package.json#L24
We have a pnpm override to get around it which isn't ideal: https://github.com/tinacms/tinacms/blob/main/packages/next-tinacms-cloudinary/package.json#L43
As for snyk, I'm not using it. This is logged for me from a pnpm audit.
Hi @avarma94 , just wanted to follow up on these:
Please provide versions of packages that you're using locally:
for node: node --version
for snyk: snyk --version
for cloudinary's sdk: check your package.json
Hi @avarma94 , @jamespohalloran , @nathantaal @mHubbell :
The most recent release of the SDK (1.36.1) should help with at least some if not all of the vulnerabilities in question. Could you try updating to the latest version and seeing if this fixes things on your end?
I'm still seeing a security alert from the VM2 library, I'm using 1.36.1
Hi @wootwoot1234 , there's been another update (1.36.2), could you please try out this version? Additionally, what npm version are you using?