Create advisories for past breakouts and security policy for future reports

[cristianstaicu]

Hi there,

Since this is a high-profile package on npm and many GitHub repositories rely on it for isolation, I was wondering if disclosure of security issues shouldn't be done in a more organized/principled way? If you agree with me, please create a security policy (https://github.com/patriksimek/vm2/security/policy) with a security email address for the volunteers to report to. Additionally, it would be great to have security advisories (https://github.com/patriksimek/vm2/security/advisories) for past breakouts so that users are informed when they install a vulnerable version. Here is a possibly incomplete list of them:

#76
#187
#197
#224
#225
#268
#276
#285

Best,
Cris

[cristianstaicu]

Hi there,

Since setting up a policy and creating CVEs can be easily done from the "Security" tab above, I thought of reminding you about this open issue. It should not take more than 10-15 mins to resolve.

Best,
Cris

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[cristianstaicu]

It's a pity that a critical package for the npm ecosystem treats security this way.

[patriksimek]

Hi Christian, unfortunately, I can't currently put any time into maintaining the package. However, I'm happy to add you or anyone who would be interested in maintaining it.

[cristianstaicu]

Hey Patrik, I would like to help with issuing the advisories, but unfortunately, I do not think I can commit to putting in the necessary development effort required for maintaining this package. As you may have seen, we are trying to report some sandbox breakout vulnerabilities in the latest version (#363 ), and we believe it would require quite some dev effort to fix them. Isn't there a way to ask help from the community for this, e.g., https://huntr.dev/ or https://sos.dev/ ?

[cmawhorter]

oof. i'm so confused. i received a GH alert about a fixed critical vuln., but having trouble finding the code that addresses it.

it seems the two primary devs no longer have time to maintain it -- perhaps it's time to EOL vm2? talk of handing over dev to a new party makes my supply chain spidey sense tingle.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[jjhbw]

Bump to ensure this issue isn't closed.

IMO this issue is critical. Recent commits have proven very difficult to 'audit' and the changelog is IMO pretty opaque. This combined with the fact that a new maintainer took over really hurts confidence. Supply chain risk in the ecosystem is very real as we've seen in the last years.

The new maintainer @XmiliaH seems active and I do not want to imply he/she is acting in bad faith. I'm just saying that improving the interpretability of commits for non-maintainers and actually documenting security fixes would go a long way.

I really respect the maintainer's work, and I realise i'm getting the immense work that this library represents for free. Please consider the above advice instead of armchair criticism.

[patriksimek]

Closing this, as both the security policy and advisories are now in place. Thank you.