vm2 (via pac-proxy-agent) causes build failures in webpack

[AlabasterAxe]

We recently attempted to upgrade our version of pubnub but we're blocked by similar issues to the one highlighted by:
#239

In our case, vm2 makes a call to require(coffee-script) and attempts to call readFileSync on a file called bridge.js that it supplies both of which cause our build to fail.

It looks like we should be able to work around it by patching out the dependency on pac-proxy-agent. Basically, I have two questions:

• under what circumstances would pubnub use pac proxies (if ever)
• if the pubnub client doesn't use pac proxies, would it be possible for pubnub to patch out it's dependency on pac-proxy-agent since vm2 seems to be causing issues for some users using webpack?

Edit: we're currently on 4.29.7, we've attempted to upgrade to a couple of different versions but any greater version than our current version caused these issues.

[AlabasterAxe]

@srubin FYI

[patela]

I ran into the same issue when trying to upgrade from 4.33.0 to 4.34.0. It appears this might be due to the superagent update that was listed in the PubNub JS SDK changelog for 4.34.0.

We're using webpack to package our Node.js lambda which uses PubNub JS SDK and this prevents us from upgrading to any version of the PubNub JS SDK beyond 4.33.0.

[ShepelievD]

I face the same issue, for Serverless functions, for example, AWS Lambda my TypeScript compiles it in a single file, so it doesn't work, because of the following flow:

1. Pubnub uses superagent-proxy
2. superagent-proxy uses vm2
3. vm2 executes the following code inline during execution ${fs.readFileSync(`${__dirname}/bridge.js`, "utf8")}, so it's not possible to predict file loading

It has taken me a while to figure this out. This is very important. I can't use the latest version

[patela]

I have found a work-around for this issue, but it's pretty ugly. What I do is copy node_modules/vm2/lib/bridge.js and node_modules/vm2/lib/setup-sandbox.js into my lambda zip file that I deploy. This makes those files available at run-time. With this workaround I can use PubNub v5.0.1 with rollup but it should also work with webpack.

I hope that this issue gets a real resolution soon.

[jazpearson]

Also seeing the same issues and we need to update the SDK because of some high severity security issues: https://www.cve.org/CVERecord?id=CVE-2021-23406

[jazpearson]

Similar to @patela, but i added the files to my webpack config, so at least the files are bundled. Ideally we wouldn't need to do this.

// these files are required by vm2 which is a dependency of the pubnub SDK
const bridgeConfig = {
  entry: './node_modules/vm2/lib/bridge.js',
  output: {
      filename: 'bridge.js',
      path: path.resolve(__dirname, '../build')
  }
};
const sandboxConfig = {
  entry: './node_modules/vm2/lib/setup-sandbox.js',
  output: {
      filename: 'setup-sandbox.js',
      path: path.resolve(__dirname, '../build')
  }
};


module.exports = [
    ...otherConfigs,
    bridgeConfig,
    sandboxConfig
]

[yairhaimo]

I have a library that uses Pusher and I want to replace it with PubNub and I run into this issue when I use the library with PubNub.
I want to supply the library without specific Webpack instructions.
Any tips on how this could be done?

[zaknuces]

Is there any plan to fix this issue? This is a critical third-party component vulnerability.
https://security.snyk.io/vuln/SNYK-JS-VM2-5537100

[stephenlb]

Hi! Yes the PR #331 was merged successfully which addresses the severe vulnerability warnings for vm2 usage: https://security.snyk.io/vuln/SNYK-JS-VM2-5537100