Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need to replace vulnerable vm2 library #450

Closed
wz2b opened this issue Mar 5, 2024 · 5 comments
Closed

Need to replace vulnerable vm2 library #450

wz2b opened this issue Mar 5, 2024 · 5 comments
Assignees
@biancode
Labels
dependencies Pull requests that update a dependency file handled by plus4nodered team https://p4nr.com/ problem pull request welcome send your pull request and contribute to the project question sponsors are welcome https://plus4nodered.com/ Stale

Comments

@wz2b
Copy link

wz2b commented Mar 5, 2024

Which node-red-contrib-modbus version are you using?

5.30.0

What happened?

When you install node-red-contrib-modbus npm reports:

The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider migrating your code to isolated-vm.

Server

Modbus-Server Node

How can this be reproduced?

Install the package from the command line (using npm) and watch the output

What did you expect to happen?

I expect to be able to install the package without any severity=critical security warnings

Other Information

This was reported previously but closed by the bot due to inactivity. There are previous CVEs out there that all say the problem is with vm2 3.9.18 but this is installing 3.9.19 and I still get the warning. https://www.npmjs.com/package/vm2 suggests migrating from vm2 to isolated-vm
@wz2b wz2b added the bug label Mar 5, 2024
@biancode
Copy link
Contributor

biancode commented Mar 22, 2024
edited
Loading

Feel free to support us to solve all that issues see https://p4nr.com/ !

@biancode biancode added question problem sponsors are welcome https://plus4nodered.com/ pull request welcome send your pull request and contribute to the project dependencies Pull requests that update a dependency file and removed bug labels Mar 22, 2024
@biancode biancode self-assigned this Mar 22, 2024
@biancode
Copy link
Contributor

A switch over to the node-red used vm is possible, but has some issues to test if vm can do the same work.

@S474N
Copy link

S474N commented May 4, 2024

Still deprecated vm2:

2024-05-04T18:07:08.610Z Install : node-red-contrib-modbus 5.31.0

2024-05-04T18:07:09.942Z npm install --no-audit --no-update-notifier --no-fund --save --save-prefix=~ --production --engine-strict [email protected]
2024-05-04T18:07:10.138Z [err] npm
2024-05-04T18:07:10.138Z [err]  WARN config production Use `--omit=dev` instead.
2024-05-04T18:07:15.168Z [err] npm WARN deprecated [email protected]: The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider migrating your code to isolated-vm.
2024-05-04T18:07:16.025Z [out] 
2024-05-04T18:07:16.025Z [out] added 34 packages in 6s
2024-05-04T18:07:16.031Z rc=0

@biancode
Copy link
Contributor

#461 - comes soon with 5.40.+

@github-actions GitHub Actions
Copy link

This issue is stale because it has been open 60 days with no activity. It will be closed in 30 days, but can be saved by removing the stale label or commenting.

@github-actions github-actions bot added the Stale label Jul 17, 2024
@biancode biancode added the handled by plus4nodered team https://p4nr.com/ label Jul 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@biancode biancode

Labels
dependencies Pull requests that update a dependency file handled by plus4nodered team https://p4nr.com/ problem pull request welcome send your pull request and contribute to the project question sponsors are welcome https://plus4nodered.com/ Stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wz2b @biancode @S474N