ionic-cli
ionic-cli copied to clipboard
ionic-team
npm WARN deprecated [email protected]: The library contains critical security issues
Description:
When I install the latest Ionic CLI, it is throwing deprecated warning and the latest version CLI is not installed
Steps to Reproduce: RUN Below commands, per the official guide here
$ npm uninstall -g ionic
$ npm install -g @ionic/cli
``
**Output:**
``
$sudo npm uninstall -g @ionic/cli
Password:
removed 224 packages in 1s
\W $sudo npm install -g @ionic/cli
npm WARN deprecated [email protected]: The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider migrating your code to isolated-vm.
``
`
**My `ionic info`:**
Ionic CLI is not installed to run ionic info, command
Other Information:
The project discontinued. 9.8 CVE is very high severity (9.8 of 10) https://nvd.nist.gov/vuln/detail/CVE-2023-37466 and should be replaced by https://www.npmjs.com/package/isolated-vm
I don't know the Ionic codebase but vm2 is used to "run untrusted code in Node" should be optional part of a framework.
npm audit result
vm2 *
Severity: critical
vm2 Sandbox Escape vulnerability - https://github.com/advisories/GHSA-cchq-frgv-rjh5
vm2 Sandbox Escape vulnerability - https://github.com/advisories/GHSA-g644-9gfx-q4q4
fix available via `npm audit fix --force`
Will install @ionic/[email protected], which is a breaking change
node_modules/vm2
degenerator 3.0.0 - 4.0.4
Depends on vulnerable versions of vm2
node_modules/@puppeteer/browsers/node_modules/degenerator
node_modules/degenerator
pac-resolver 5.0.0 - 6.0.2
Depends on vulnerable versions of degenerator
node_modules/@puppeteer/browsers/node_modules/pac-resolver
node_modules/pac-resolver
pac-proxy-agent 5.0.0 - 6.0.4
Depends on vulnerable versions of pac-resolver
node_modules/@puppeteer/browsers/node_modules/pac-proxy-agent
node_modules/pac-proxy-agent
proxy-agent 5.0.0 - 6.2.2
Depends on vulnerable versions of pac-proxy-agent
node_modules/@puppeteer/browsers/node_modules/proxy-agent
node_modules/proxy-agent
@puppeteer/browsers 1.4.0 - 1.4.4
Depends on vulnerable versions of proxy-agent
node_modules/@puppeteer/browsers
puppeteer 20.4.0 - 20.8.1
Depends on vulnerable versions of @puppeteer/browsers
Depends on vulnerable versions of puppeteer-core
node_modules/puppeteer
puppeteer-core 20.4.0 - 20.8.1
Depends on vulnerable versions of @puppeteer/browsers
node_modules/puppeteer-core
superagent-proxy >=3.0.0
Depends on vulnerable versions of proxy-agent
node_modules/superagent-proxy
@ionic/cli >=6.18.1
Depends on vulnerable versions of superagent-proxy
node_modules/@ionic/cli
The ionic cli itself, mainly to download the starter templates when running ionic start, has to do http requests.
These requests are done using the superagent package.
In order for superagent to support proxies it uses the superagent-proxy package which has not been updated in the last 2 years (but may be getting another update soon just to address this issue, see https://github.com/TooTallNate/superagent-proxy/pull/50)
A proxy server can be configured either by manually specifying proxy parameter or by a proxy autoconfigure script (PAC).
A PAC is basically a Javascript script that computes the proxy parameters dynamically based on destination. PAC resolution is performed by the proxy-agent dependency by running the script in a sandboxed VM.
Older version of proxy-agent ultimately depend on the deprecated vm2 package to run such js code in a sandboxed environment, newer version don't.
So, if you are in a network with an autoconfigured proxy and run ionic start (or add Cordova integration through ionic integration add cordova) you are allowing the network administrator that publishes the proxy script to run arbitrary code on your machine thank to the vm2 bug.
If you are not using an autoconfigured proxy in your development computer, you are not at risk and may disregard the warning.
Is there a way to reduce dependencies? A PAC proxy is edge case for dev machine. Do you think about a kind of plugin / extension?
It is not so nice to have CVEs any projects because of exploitation chains.