Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(cli): resolve vm2 security vulnerability #5070

Merged
merged 6 commits into from
Dec 19, 2023
Merged

Conversation

sean-perkins
Copy link
Contributor

@sean-perkins sean-perkins commented Dec 14, 2023

Ionic CLI currently reports a security vulnerability with the vm2 dependency as a result of superagent-proxyproxy-agent.

The superagent-proxy package is a smaller wrapper around superagent and proxy-agent that is not maintained.

This PR removes the dependency for superagent-proxy and upgrades to proxy-agent@6 which no longer has the vm2 dependency requirement. The proxy-agent package uses ESM & as a result a lot of other usages had to be migrated once esmoduleInterop was enabled. The proxy behavior that superagent-proxy was responsible for has been added here: https://github.com/ionic-team/ionic-cli/blob/4332a24af67b98424ff19083a6f9e2e09a66c0a8/packages/%40ionic/cli/src/lib/utils/superagent-proxy.ts

Here is the error message without esmoduleInterop:

node_modules/get-uri/dist/http.d.ts:5:8 - error TS1192: Module '"http"' has no default export.

5 import http_ from 'http';
~~~~~

node_modules/get-uri/dist/http.d.ts:6:8 - error TS1192: Module '"https"' has no default export.

6 import https from 'https';
~~~~~

node_modules/proxy-agent/dist/index.d.ts:3:8 - error TS1259: Module '"/Users/sean/Documents/ionic/ionic-cli/packages/@ionic/cli/node_modules/proxy-agent/node_modules/lru-cache/index"' can only be default-imported using the 'esModuleInterop' flag

3 import LRUCache from 'lru-cache';
~~~~~~~~

node_modules/proxy-agent/node_modules/lru-cache/index.d.ts:869:1
869 export = LRUCache
~~~~~~~~~~~~~~~~~
This module is declared with 'export =', and can only be used with a default import when using the 'esModuleInterop' flag.

Found 3 errors in 2 files.

Errors Files
2 node_modules/get-uri/dist/http.d.ts:5
1 node_modules/proxy-agent/dist/index.d.ts:3

@sean-perkins sean-perkins marked this pull request as ready for review December 14, 2023 20:45
@sean-perkins sean-perkins requested review from a team and brandyscarney and removed request for a team December 14, 2023 20:45
packages/@ionic/cli/ionic-cli-7.1.5.tgz Outdated Show resolved Hide resolved
packages/@ionic/cli/.gitignore Outdated Show resolved Hide resolved
Co-authored-by: Maria Hutt <thetaPC@users.noreply.github.com>
Copy link

@thetaPC thetaPC left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@sean-perkins sean-perkins merged commit 4050419 into develop Dec 19, 2023
4 checks passed
@sean-perkins sean-perkins deleted the sp/vm2-security branch December 19, 2023 16:31
@sean-perkins sean-perkins mentioned this pull request Jan 15, 2024
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants