-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove rejectUnauthorized:false from download flags #3086
Conversation
I'd be OK with dropping this, but I think we need some sort of documentation or environment variable opt-in. |
Thanks for looking at this. If the libsass opinion is to have it on a switch, I would like to respectfully disagree. HTTP support is absolutely the expected behaviour by end users, and this CVE has prompted us to reevaluate our use of node-sass. I would personally be in favour of suggesting users download libsass themselves if it cannot be done safely over https- I don't think the documentation would benefit from detail here. I would be more than happy to add something to this effect to TROUBLESHOOTING.md. |
How to set one's own custom trusted root certificate instead for poor folks behind SSL intercepting corporate proxies? |
As described, they can provide the binary themselves. |
The linked SO post suggest |
What exactly happens with this pull request if going through, say, SSL-intercepting proxy? What message the users will get? We have to work from there. |
Sorry but I have no way of testing this. The balance of importance given to fixing a CVE vs convenience of users with ssl interception is somewhat confounding. |
This should resolve #3067
rejectUnauthorized: false
was added in #567It would seem more important to resolve the CVE-2020-24025 than to support misconfigured enterprise proxies.