Dependabot issued a critical alert on the vm2 library which is used by proxy-agent. A new version of proxy-agent removes this vulnerability by replacing vm2. Prism needs to be updated to use this new version.

Links to the two Dependabot alerts that relate to this issue:

265
266

Link to the new proxy-agent version to be used:
proxy-agent 406.3.0

NOTE: This update must also be done for spectral and platform-internal. See the links to the other issues in the comments.

Spectral: stoplightio/spectral#2519
Platform-Internal: https://github.com/stoplightio/platform-internal/issues/17519

Hey team! Please add your planning poker estimate with Zenhub @chohmann @brendarearden @daniel-white

Please add your planning poker estimate with Zenhub @matthewmurphy

@stoplightio/tacocats we should consider adopting the same library as spectral: stoplightio/spectral#2513

@daniel-white what are the advantages of hpagent over an upgrade of proxy-agent?

@ed i'm not sure - just wanting to reduce the proliferation of 3rd party dependencies.

@P0lip , could you help us understand why you chose to switch to hpagent instead of upgrading proxy-agent in stoplightio/spectral#2513? Do you think we should switch to that in prism, too?

It was recommended in stoplightio/spectral#2510 (comment)
hpagent is a 0-dependency module, so that was mostly the reasoning.
In the case of Spectral, proxy-agent has been a bit of a pain for me in terms of vulnerabilities due to its reliance on a number of dependencies that tended to be vulnerable.

Do you think we should switch to that in prism, too?

I'd consider it if it's easy to set up. In the case of Spectral, I didn't need to change much code so I went for the change hoping it'll reduce the number of vulnerability reports caused by transient dependencies of proxy-agent.