Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create advisories for past breakouts and security policy for future reports #338

Open
cristianstaicu opened this issue Feb 8, 2021 · 8 comments

Comments

@cristianstaicu
Copy link

Hi there,

Since this is a high-profile package on npm and many GitHub repositories rely on it for isolation, I was wondering if disclosure of security issues shouldn't be done in a more organized/principled way? If you agree with me, please create a security policy (https://github.com/patriksimek/vm2/security/policy) with a security email address for the volunteers to report to. Additionally, it would be great to have security advisories (https://github.com/patriksimek/vm2/security/advisories) for past breakouts so that users are informed when they install a vulnerable version. Here is a possibly incomplete list of them:

#76
#187
#197
#224
#225
#268
#276
#285

Best,
Cris

@cristianstaicu
Copy link
Author

Hi there,

Since setting up a policy and creating CVEs can be easily done from the "Security" tab above, I thought of reminding you about this open issue. It should not take more than 10-15 mins to resolve.

Best,
Cris

@vdata1 vdata1 mentioned this issue Sep 7, 2021
@stale
Copy link

stale bot commented Oct 2, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Oct 2, 2021
@cristianstaicu
Copy link
Author

It's a pity that a critical package for the npm ecosystem treats security this way.

@stale stale bot removed the stale label Oct 2, 2021
@patriksimek
Copy link
Owner

Hi Christian, unfortunately, I can't currently put any time into maintaining the package. However, I'm happy to add you or anyone who would be interested in maintaining it.

@cristianstaicu
Copy link
Author

Hey Patrik, I would like to help with issuing the advisories, but unfortunately, I do not think I can commit to putting in the necessary development effort required for maintaining this package. As you may have seen, we are trying to report some sandbox breakout vulnerabilities in the latest version (#363 ), and we believe it would require quite some dev effort to fix them. Isn't there a way to ask help from the community for this, e.g., https://huntr.dev/ or https://sos.dev/ ?

@cmawhorter
Copy link

oof. i'm so confused. i received a GH alert about a fixed critical vuln., but having trouble finding the code that addresses it.

it seems the two primary devs no longer have time to maintain it -- perhaps it's time to EOL vm2? talk of handing over dev to a new party makes my supply chain spidey sense tingle.

@stale
Copy link

stale bot commented Mar 2, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Mar 2, 2022
@jjhbw
Copy link

jjhbw commented Mar 2, 2022

Bump to ensure this issue isn't closed.

IMO this issue is critical. Recent commits have proven very difficult to 'audit' and the changelog is IMO pretty opaque. This combined with the fact that a new maintainer took over really hurts confidence. Supply chain risk in the ecosystem is very real as we've seen in the last years.

The new maintainer @XmiliaH seems active and I do not want to imply he/she is acting in bad faith. I'm just saying that improving the interpretability of commits for non-maintainers and actually documenting security fixes would go a long way.

I really respect the maintainer's work, and I realise i'm getting the immense work that this library represents for free. Please consider the above advice instead of armchair criticism.

@stale stale bot removed the stale label Mar 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants