New version of Jsreport V2 to fix the vm2 issue



  • Hi Jan,

    vm2 issue: https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac
    This one seems affect jsreport-core V2. I know V3 is ready, but just as you said in the V3 release note. V2 works fine for us, and we are not going to upgrade to V3 recently. Could you please make a new release of V2 to upgrade vm2 to 3.9.18? Thank you very much!



  • Unfortunately, there will be some vulnerability exposures revealed every week.
    We would release v2 update but it makes no sense when it gets so often.
    It's almost two years since v3 is shipped.

    If you let eventually external dangerous users use jsreport, and you don't use jsreport docker workers extension to isolate the requests, you need to stay with the latest.

    On the other hand, if your jsreport instance is used just by your team, then just ignore these exposures.
    jsreport evaluates your code just like .net runtime or java, and you can do there anything you want anyway.

    The last option. jsreport-core is open source, so if you really need it, go ahead and update the dependencies you need.



  • Hahaha! Your reply is almost the same as I can expect. However, it is reasonable. The security issue can not be just ignored due to code check tool. I can try to use "overrides" of NPM to upgrade vm2 directly. Maybe we could upgrade to Jsreport V3 as well later.
    Thank you! Have a nice day! @jan_blaha


Log in to reply
 

Looks like your connection to jsreport forum was lost, please wait while we try to reconnect.