@ionic/cli critical vulnerabiliy with vm2

[anthony-bernardo]

It's seems that there is a vulnerability within @ionic/cli

vm2  <3.9.11
Severity: critical
vm2 vulnerable to Sandbox Escape resulting in Remote Code Execution on host - https://github.com/advisories/GHSA-mrgp-mrhc-5jrq

└─┬ @ionic/cli@6.20.3
  └─┬ superagent-proxy@3.0.0
    └─┬ proxy-agent@5.0.0
      └─┬ pac-proxy-agent@5.0.0
        └─┬ pac-resolver@5.0.0
          └─┬ degenerator@3.0.2
            └── vm2@3.9.9

[jcesarmobile]

Please, only report vulnerabilities of direct dependencies.

This is no longer an issue, has been fixed automatically since none of the packages is using a package-lock.json file, so it picks latest versions available.

[jskrepnek]

If you're not using the proxy features of the CLI, just override the dep:

  "overrides": {
    "proxy-agent": "6.3.0"
  }

I've not observed any downsides so far.