Skip to content

fix(deps): update dependency pm2 to v7 [security]#1635

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-pm2-vulnerability
Open

fix(deps): update dependency pm2 to v7 [security]#1635
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-pm2-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 20, 2026

This PR contains the following updates:

Package Change Age Confidence
pm2 (source) ^6.0.13^7.0.0 age confidence

pm2 Regular Expression Denial of Service vulnerability

CVE-2025-5891 / GHSA-x5gf-qvw8-r2rm

More information

Details

A vulnerability classified as problematic was found in Unitech pm2 prior to 7.0.0. This vulnerability affects unknown code of the file /lib/tools/Config.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Severity

  • CVSS Score: 2.1 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

Unitech/pm2 (pm2)

v7.0.0

Compare Source

Breaking Changes
  • Require Node.js >= 18.0.0 (dropped Node.js 16 support)
Core Refactor
  • Internalize pm2-axon, pm2-axon-rpc, pm2-io-bpm, pm2-io-agent, fclone as local modules (reduced supply chain surface)
  • Internalize pm2-multimeter and charm into lib/tools/multimeter (zero external deps)
  • Add Bun runtime support (ProcessContainerBun.js, ProcessContainerForkBun.js)
  • Replace needle with native fetch (CliAuth, TAR publish)
  • Replace enquirer with lightweight built-in prompt (boilerplate selector)
  • Replace promptly with built-in lib/tools/prompt
  • Replace mkdirp with native fs.mkdirSync({ recursive: true })
  • Replace source-map-support with native process.setSourceMapsEnabled()
  • Replace sprintf-js with template literals (Dashboard)
  • Replace url.parse() with native URL constructor (Serve, Utility, CliAuth)
  • Remove fclone npm dep, use internalized module
  • Drop auto source map file detection in Common.prepareAppConf
Security
  • CVE-2025-5891 Fix ReDoS in Config.js string-to-array split regex #​6075
  • CVE-2026-27699 Update proxy-agent to 6.5.0, basic-ftp to 5.3.1 #​6088
  • Fix command injection in WebAuth.js open() — replace exec() with execFile() #​6089
  • Fix command injection in PM2IO.js open() — replace exec() with execFile(), validate SUDO_USER
  • Fix command injection in lib/tools/open.js — replace exec() with execFile(), validate SUDO_USER
  • Fix prototype pollution in Configuration.set/unset via proto key traversal #​6089
  • Fix HttpInterface env stripping never executing (WEB_STRIP_ENV_VARS) #​6089
Bug Fixes
  • Rewrite TreeKill: single ps snapshot + in-memory tree build, eliminates race conditions. SIGKILL escalation now targets surviving child processes directly instead of re-walking a dead tree #​6084
  • Fix [object Object] env vars leaked to fork mode subprocesses #​6073
  • Fix Windows home path: use os.homedir() instead of HOMEPATH/HOMEDRIVE env vars #​6106
  • Fix Windows TreeKill callback consistency
  • Fix missing BPM monitoring injection in Bun cluster mode (ProcessContainerBun.js)
  • Fix ReferenceError crash in Bun cluster console overrides when disable_logs is true
  • Fix CliAuth wrong credentials error displaying "undefined" instead of error message
Features
  • Add --ftp option to pm2 serve for directory listing (python http.server style)
Dependencies
  • Add OpenTelemetry tracing as direct dependencies (@​opentelemetry/api, sdk-node, auto-instrumentations-node)
  • Upgrade OpenTelemetry packages to latest
  • Update pidusage from 3.0.2 to 4.0.1
  • Upgrade ws to ^8.18.0, eventemitter2 to ^6.4.9
  • Remove needle, enquirer, promptly, mkdirp, source-map-support, sprintf-js, fclone from npm dependencies
Testing
  • Add Docker parallel test runner with Node.js and Bun support
  • Add Windows test suite (test/windows.sh)
  • Add OpenTelemetry tracing tests
  • Add TreeKill unit tests
  • Add test scripts for internalized modules (bpm, axon, axon-rpc, io-agent)
  • Fix test compatibility for Node.js 22+ and Bun
  • CI matrix: Node.js 18, 20 + latest

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants