Skip to content

fix: CVE-2026-27699 update basic-ftp to 5.2.0#6097

Open
roshil1206 wants to merge 1 commit intoUnitech:masterfrom
roshil1206:fix/CVE-2026-27699-basic-ftp
Open

fix: CVE-2026-27699 update basic-ftp to 5.2.0#6097
roshil1206 wants to merge 1 commit intoUnitech:masterfrom
roshil1206:fix/CVE-2026-27699-basic-ftp

Conversation

@roshil1206
Copy link
Copy Markdown

@roshil1206 roshil1206 commented Mar 22, 2026
edited
Loading

Summary

  • Fixes CVE-2026-27699 (critical vulnerability in basic-ftp < 5.2.0)
  • Adds an npm overrides entry to pin basic-ftp to 5.2.0
  • The vulnerable dependency chain is: @pm2/agent -> proxy-agent -> pac-proxy-agent -> get-uri -> basic-ftp@5.0.5

Since basic-ftp is a transitive dependency and pm2 is typically installed globally (npm i -g pm2), users cannot resolve this with npm audit fix — it needs to be fixed in pm2 itself.

Closes #6088

@roshil1206
fix: CVE-2026-27699 update basic-ftp to 5.2.0
198d9f8 
Override basic-ftp transitive dependency (via @pm2/agent -> proxy-agent
-> pac-proxy-agent -> get-uri -> basic-ftp) from 5.0.5 to 5.2.0 to
resolve CVE-2026-27699 which affects versions < 5.2.0.

Closes Unitech#6088
@OIRNOIR
Copy link
Copy Markdown

OIRNOIR commented Apr 24, 2026

@roshil1206 Why do we need to npm override basic-ftp? The most recent version of proxy-agent includes the updated dependency; can't we just update to that?

@OIRNOIR
Copy link
Copy Markdown

OIRNOIR commented Apr 24, 2026

If we update to proxy-agent@8.0.1 it should just fix things

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CVE-2026-27699 Critical Vulnerability

2 participants

@roshil1206 @OIRNOIR