[SECURITY] Vulnerability in netmask package

[tandrus]

1) What version of the module is the issue happening on? Does the issue happen on latest version?
Version 0.23.0 Yes, latest version.

2) What platform and Node.js version? (For example Node.js 6.9.1 on Mac OS X)
Node.js 14.15.4 Ubuntu 20.04.2 LTS

3) Does the action work when you manually perform request against mailgun using curl (or other means)?
Not apply

4) Sample source code or steps to reproduce
npm audit

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ netmask npm package vulnerable to octal input data │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ netmask │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mailgun-js │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ mailgun-js > proxy-agent > pac-proxy-agent > pac-resolver > │
│ │ netmask │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1658 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 1139 scanned packages
1 vulnerability requires manual review. See the full report for details.

Solution
Update proxy-agent to version 4.0.1 because it uses pax-proxy-agent (4.x) -> uses pac-resolver (4.x) -> uses netmask (2.0.1)

[thelebdev]

Are there any updates on this?

[tandrus]

@thelebdev that package is abandonded.
On mailgun site - you can find that this library is official - https://github.com/mailgun/mailgun-js

I moved to this library (it's not a big deal - just changing several lines in code).

[jheroje]

@tandrus It is a big deal indeed. Old package has security vulnerabilities; Mailgun official documentation is using the old and unofficial library, while the new one has been several years on development; The only documentation pointing to the new one is in the Github readme and it doesn't work. There are several issues open regarding updating documentation, solving the vulnerability, etc, and the only sensible solution I have seen, posted just a few days ago, was using node fetch and request the URLs by hand (ignoring both old and new libraries), and even this has given problems to people with EU domains. It is really underwhelming the current state of the project.

At this point the vulnerability should be hotfixed in the old package, even if it's unsupported, at least until the new package is stable and documented enough to be usable.