Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

http-proxy denial of service vulnerability #1764

Closed
broksonic21 opened this issue May 15, 2020 · 18 comments · Fixed by #1768
Closed

http-proxy denial of service vulnerability #1764

broksonic21 opened this issue May 15, 2020 · 18 comments · Fixed by #1768

Comments

@broksonic21
Copy link

Issue details

There is an open ticket for yargs-parser, but a new DOS for http-proxy showed up today:

│ High          │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ http-proxy                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ browser-sync [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ browser-sync > http-proxy                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1486                            │
└───────────────┴──────────────────────────────────────────────────────────────┘```

### Steps to reproduce/test case

add browser-sync to package.json, `npm install`, `npm audit`

### Please specify which version of Browsersync, node and npm you're running

- Browsersync - 2.26.7
- Node        - v14.2.0
- Npm         - 6.14.5
@zachleat zachleat mentioned this issue May 16, 2020
Closed
@fredericpfisterer
Copy link

fredericpfisterer commented May 19, 2020
edited

Patch is available now. Can somebody update http-proxy package ?

@ainsleyclark
Copy link

Any movement on this?

@vidhya03
Copy link

I got this in my project using browser-sync 2.26.7
High Denial of Service
Package http-proxy
Patched in >=1.18.1
Dependency of browser-sync [dev]
Path browser-sync > http-proxy
More info https://npmjs.com/advisories/1486

@denisbrodbeck
Copy link

The maintainers of http-proxy fixed the issue in this commit.
They also dropped support for Node 6 here, while browser-sync still supports Node 6.

@blachawk
Copy link

blachawk commented May 28, 2020
edited

What do we do now to resolve this? Feels like we are all at a crossroad with no guard at the intersection.

@mattshirlaw-finocomp
Copy link

+1 would also like to know whether there is a plan to fix this.

@jegli jegli mentioned this issue Jun 3, 2020
Merged
@fozzleberry fozzleberry mentioned this issue Jun 3, 2020
Merged
@edwardjosephbennett
Copy link

@shakyShane Is there a chance we can get this update merged into an update? Thanks :)

@francescozaia francescozaia mentioned this issue Jun 16, 2020
Closed
@kahlan88
Copy link

Would be great to get this merged soon :-) For now I'll set resolutions in my package.json, but would be awesome.

@gablittledevshop gablittledevshop mentioned this issue Jul 8, 2020
Merged
@thasmo
Copy link

thasmo commented Jul 16, 2020

Any update on this, @shakyShane?

@jeffschwartz
Copy link

Just asking due to no responses but Is browser-sync dead?

@kahlan88
Copy link

judging by latest commit, which was 14 months ago; it might be

@jeffschwartz
Copy link

@kahlan88 I was thinking the same thing. Unfortunately my node app uses browsersync. Are you aware of a suitable alternative? Have you tried the forked repo requesting a pull request to fix the issue?

@kahlan88
Copy link

@kahlan88 I was thinking the same thing. Unfortunately my node app uses browsersync. Are you aware of a suitable alternative? Have you tried the forked repo requesting a pull request to fix the issue?

You can set resolutions in the package.json file, based on vulnerabilities in the yarn audit command.

Like:

  "resolutions": {
    "http-proxy": "^1.18.1",
    "yargs-parser": "^13.1.2"
  }

Re-run yarn audit browser-sync vulnerabilities should disappear.
If you want to get rid of any other warnings - I think it's best to still first check whether there are any upgrades to packages they are caused by.

Hope that helps!

@joelspadin
Copy link

Are you aware of a suitable alternative?

@jeffschwartz I recently switched to using https://www.snowpack.dev/ for a project that had been using browsersync. I found it fairly easy to set up and it supports hot module reloading so the experience is pretty similar to browsersync but with some added bonuses like fixing up node_modules imports to work in the browser.

@kahlan88
Copy link

@jeffschwartz if you look at #1768 - I think it's just been fixed :-) I will certainly try it tomorrow

@jeffschwartz
Copy link

I was afraid that I'd have to delay the next release of my project so this is awesome news. Thanks to everyone getting this done for the community ♥👍👏.

@jeffschwartz
Copy link

@kahlan88 yes, it's awesome and I will try later today and post a follow up. Thank you for your previous suggestion.

@jeffschwartz
Copy link

After running npm update npm audit reports 0 issues and I can also report that the release works for me. Again, thanks to everyone who made this happen.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

http-proxy denial of service vulnerability fozzleberry/browser-sync