@remix-run/dev critical security vulnerabilities from dependencies

[dT-Nick]

What version of Remix are you using?

1.18.1

Are all your remix dependencies & dev-dependencies using the same version?

• Yes

Steps to Reproduce

Install all remix packages 1.18.1.
Run npm audit.

Expected Behavior

Should be 0 critical vulnerabilities.

Actual Behavior

npm audit outputs the following:

vm2  *
Severity: critical
vm2 Sandbox Escape vulnerability - https://github.com/advisories/GHSA-cchq-frgv-rjh5
fix available via `npm audit fix --force`
Will install @remix-run/[email protected], which is a breaking change
node_modules/vm2
  degenerator  >=3.0.0
  Depends on vulnerable versions of vm2
  node_modules/degenerator
    pac-resolver  >=5.0.0
    Depends on vulnerable versions of degenerator
    node_modules/pac-resolver
      pac-proxy-agent  >=5.0.0
      Depends on vulnerable versions of pac-resolver
      node_modules/pac-proxy-agent
        proxy-agent  >=5.0.0
        Depends on vulnerable versions of pac-proxy-agent
        node_modules/proxy-agent
          @remix-run/dev  <=0.0.0-nightly-ff40409-20230514 || >=1.7.3-pre.0
          Depends on vulnerable versions of proxy-agent
          node_modules/@remix-run/dev

word-wrap  *
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap
  optionator  0.8.3 - 0.9.1
  Depends on vulnerable versions of word-wrap
  node_modules/escodegen/node_modules/optionator

As an extra, the moderate vulnerability with word-wrap seems to be a dependency of escodegen, which is a dependency of degenerator - so I'm assuming that's coming from the same chain of dependencies from @remix-run/dev 1.18.1

I'm guessing this is already known & obvious - but can't see any issues reported in relation to it, or anything on the discord. Don't know if these security vulnerabilities are worth creating an issue for or not.

[lukehsiao]

vm2 is discontinued now, due to these vulnerabilities: patriksimek/vm2#533

These are also in the GitHub Advisory Database, meaning many more people that use Remix will be getting critical security notifications automatically from GitHub.

• GHSA-g644-9gfx-q4q4
• GHSA-cchq-frgv-rjh5

The degenerator repo has a ticket: TooTallNate/proxy-agents#218

[roughee]

Since the vulnerability is on dependency of pac-proxy-agent

@freeman Would it make sense to change proxy-agent to lower level imports of http-proxy-agent / https-proxy-agent ?

Since this is the only place that uses it in remix/dev:
https://github.com/remix-run/remix/blob/main/packages/remix-dev/cli/create.ts#L10

[heitorsilva]

The ticket got solved today, with version 6.3.0 of the proxy-agent.

[roughee]

upgrade proxy-agent to 6.3.0 that changes from vm2 to quickjs-emscripten

PR #6862

[brophdawg11]

FWIW, proxy-agent is only used by packages/dev/cli/create.ts (npx create-remix) so it's not something ever used by your app at runtime, so I don't think the vulnerability (which of course sounds scary) is actually a live app vulnerability?

The create-remix CLI is also in the process of being rewritten in #6887, so we can update to the latest proxy-agent in there. We planned for 1.19.0 to be the last release prior to 2.0.0 so since this is not a vulnerability that impacts runtime applications I don't know that we'll be interested in hotfixing this out since we can just use the latest proxy-agent in #6887?

[roughee]

@brophdawg11 I think for most people seeing this dependency is some SAST that will fail their security check pipeline because of a critical CVA dependency in the repository.

Even if remix-dev is not part of app at runtime and even the proxy-agent used is not the pac one (which is only there because it had all of proxy agents as dependencies)

I guess it's more of a question when do you plan to release 2.0.0 - if you have a release date then it's a much easier proposal just to wait.

[dgadelha]

I was able to solve the audit issue locally by adding this to package.json:

  "overrides": {
    "pac-resolver": "^7.0.0"
  }

[brophdawg11]

This is fixed by #7027 and should be available when 1.19.2 is released - targeting later this week

[brophdawg11]

This can also be tested in 1.19.2-pre.0 currently if anyone would like to validate the fix

[github-actions]

🤖 Hello there,

We just published version 1.19.2-pre.0 which involves this issue. If you'd like to take it for a test run please try it out and let us know what you think!

Thanks!

[roughee]

@brophdawg11

Seems fine now.

npx create-remix@latest --template remix-run/indie-stack blog-tutorial

1.19.1

npx [email protected] --template remix-run/indie-stack blog-tutorial

1.19.2-pre.0

[github-actions]

🤖 Hello there,

We just published version v0.0.0-nightly-3b808ce-20230802 which involves this issue. If you'd like to take it for a test run please try it out and let us know what you think!

Thanks!

[github-actions]

🤖 Hello there,

We just published version 1.19.2-pre.1 which involves this issue. If you'd like to take it for a test run please try it out and let us know what you think!

Thanks!

[github-actions]

🤖 Hello there,

We just published version v0.0.0-nightly-7cb1e7e-20230803 which involves this issue. If you'd like to take it for a test run please try it out and let us know what you think!

Thanks!

[github-actions]

🤖 Hello there,

We just published version 1.19.2-pre.2 which involves this issue. If you'd like to take it for a test run please try it out and let us know what you think!

Thanks!

[github-actions]

🤖 Hello there,

We just published version 1.19.2 which involves this issue. If you'd like to take it for a test run please try it out and let us know what you think!

Thanks!