Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove proxy-agent, not used #219

Merged
merged 1 commit into from
Jul 17, 2023
Merged

Remove proxy-agent, not used #219

merged 1 commit into from
Jul 17, 2023

Conversation

LoneRifle
Copy link
Contributor

@LoneRifle LoneRifle commented Jul 14, 2023

proxy-agent was made redundant after #172, which introduced v3 of aws-sdk. This meant that any proxy-related config was done on the AWS.CloudwatchLogs instance, rather than on WinstonCloudwatch

Removing this dependency avoids a reported critical vulnerability with vm2, inherited via proxy-agent and its dependencies. Note that this vulnerability can not actually be triggered, given that winston-cloudwatch no longer uses proxy-agent.

Fixes #218
Supersedes #216

Acknowledgements

This PR is submitted as part of work for @opengovsg (Open Government Products, Singapore).

proxy-agent was made redundant after #172, which introduced v3 of
aws-sdk. This meant that any proxy-related config was done on the
`AWS.CloudwatchLogs` instance, rather than on `WinstonCloudwatch`

Removing this dependency avoids a critical vulnerability with vm2,
inherited via proxy-agent and its dependencies.

Fixes #218
Supersedes #216
@LoneRifle
Copy link
Contributor Author

@lazywithclass - thanks for your stewardship of this package over the years. Given the current response to vm2, it would be helpful for us to resolve this false positive soon, so that teams dependent on this package can move on and focus on genuine issues relating to vm2.

Would you be kind enough to either vet this PR and cut a release with it if it passes muster, or grant the needed privileges for me to do so?

Thanks in advance.

@lazywithclass lazywithclass merged commit 88bd528 into lazywithclass:master Jul 17, 2023
@lazywithclass
Copy link
Owner

winston-cloudwatch@6.2.0 is out. Thank you for your patience and effort helping the project.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

vm2 Sandbox Escape vulnerability
2 participants