Critical security vulnerability in vm2

[Havunen]

Sandbox bypass in vm2 - GHSA-6pw2-5hjv-9pf7
fix available via npm audit fix

node_modules/vm2

1 critical severity vulnerability

npm list vm2 shows this repository as part of the dependency chain

`-- ibm-openapi-validator@0.53.1
  `-- @stoplight/spectral-cli@6.2.0
    `-- proxy-agent@5.0.0
      `-- pac-proxy-agent@5.0.0
        `-- pac-resolver@5.0.0
          `-- degenerator@3.0.1
            `-- vm2@3.9.5

Connects to: TooTallNate/node-pac-proxy-agent#46

[dgilperez]

Same here, happily looking for this to be fixed.

[alasdairhurst]

Looks like it is resolved, as well as CVE-2022-36067

└─┬ proxy-agent@5.0.0
  └─┬ pac-proxy-agent@5.0.0
    └─┬ pac-resolver@5.0.1
      └─┬ degenerator@3.0.2
        └── vm2@3.9.11

[penfold45]

@alasdairhurst Not sure how you are getting that vm2 version but it does not appear to be directly from proxy-agent@5.0.0
as it does not appear to have been updated in over a year and I am still getting this problem

EDIT: ah for some reason I had to delete my package-lock.json and now its picking up vm2@3.9.11

[CameronSima]

3.9.11 is also now a vulnerable version, should now be upgraded to 3.9.17

[TooTallNate]

This code in this repository has been moved to the proxy-agents monorepo, so I am closing this pull request. If you feel that this issue still exists as of the latest release, feel free to open a new issue over there.