Update proxy-agent to remove vulnerable vm2 dependency
matthewsac opened this issue · comments
Dependabot issued a critical alert on the vm2 library which is used by proxy-agent. A new version of proxy-agent removes this vulnerability by replacing vm2. Prism needs to be updated to use this new version.
Links to the two Dependabot alerts that relate to this issue:
Link to the new proxy-agent version to be used:
proxy-agent 406.3.0
NOTE: This update must also be done for spectral and platform-internal. See the links to the other issues in the comments.
Spectral: stoplightio/spectral#2519
Platform-Internal: https://github.com/stoplightio/platform-internal/issues/17519
Hey team! Please add your planning poker estimate with Zenhub @chohmann @brendarearden @daniel-white
Please add your planning poker estimate with Zenhub @matthewmurphy
@stoplightio/tacocats we should consider adopting the same library as spectral: stoplightio/spectral#2513
@daniel-white what are the advantages of hpagent
over an upgrade of proxy-agent
?
@ed i'm not sure - just wanting to reduce the proliferation of 3rd party dependencies.
@P0lip , could you help us understand why you chose to switch to hpagent
instead of upgrading proxy-agent
in stoplightio/spectral#2513? Do you think we should switch to that in prism
, too?
It was recommended in stoplightio/spectral#2510 (comment)
hpagent
is a 0-dependency module, so that was mostly the reasoning.
In the case of Spectral, proxy-agent
has been a bit of a pain for me in terms of vulnerabilities due to its reliance on a number of dependencies that tended to be vulnerable.
Do you think we should switch to that in prism, too?
I'd consider it if it's easy to set up. In the case of Spectral, I didn't need to change much code so I went for the change hoping it'll reduce the number of vulnerability reports caused by transient dependencies of proxy-agent.