Skip to content
This repository has been archived by the owner on Jan 2, 2024. It is now read-only.

fix(deps): [security] bump https-proxy-agent from 2.2.2 to 2.2.4 #57

Merged
merged 1 commit into from Nov 19, 2019
Merged

fix(deps): [security] bump https-proxy-agent from 2.2.2 to 2.2.4 #57

merged 1 commit into from Nov 19, 2019

Conversation

dependabot-preview[bot]
Copy link
Contributor

Bumps https-proxy-agent from 2.2.2 to 2.2.4. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Node Security Working Group.

Man-in-the-Middle
[https-proxy-agent] Socket returned without TLS upgrade on non-200 CONNECT response, allowing request data to be sent over unencrypted connection

Affected versions: <2.2.3

Sourced from The npm Advisory Database.

Man-in-the-Middle (MitM)
Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). When targeting a HTTP proxy, https-proxy-agent opens a socket to the proxy, and sends the proxy server a CONNECT request. If the proxy server responds with something other than a HTTP response 200, https-proxy-agent incorrectly returns the socket without any TLS upgrade. This request data may contain basic auth credentials or other secrets, is sent over an unencrypted connection. A suitably positioned attacker could steal these secrets and impersonate the client.

Affected versions: < 2.2.3

Release notes

Sourced from https-proxy-agent's releases.

2.2.4

Patches

  • Add .editorconfig file: a0d4a20458498fc31e5721471bd2b655e992d44b
  • Add .eslintrc.js file: eecea74a1db1c943eaa4f667a561fd47c33da897
  • Use a net.Socket instead of a plain EventEmitter for replaying proxy errors: #83
  • Remove unused stream module: 9fdcd47bd813e9979ee57920c69e2ee2e0683cd4

Credits

Huge thanks to @​lpinca for helping!

2.2.3

Patches

  • Update README with actual secureProxy behavior: #65
  • Update proxy to v1.0.0: d0e3c18079119057b05582cb72d4fda21dfc2546
  • Remove unreachable code: 46aad0988b471f042856436cf3192b0e09e36fe6
  • Test on Node.js 10 and 12: 3535951e482ea52af4888938f59649ed92e81b2b
  • Fix compatibility with Node.js >= 10.0.0: #73
  • Use an EventEmitter to replay failed proxy connect HTTP requests: #77

Credits

Huge thanks to @​stoically, @​lpinca, and @​zkochan for helping!

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in the .dependabot/config.yml file in this repo:

  • Update frequency
  • Automerge options (never/patch/minor, and dev/runtime dependencies)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

@dependabot-preview
fix(deps): [security] bump https-proxy-agent from 2.2.2 to 2.2.4
a21236c 
Bumps [https-proxy-agent](https://github.com/TooTallNate/node-https-proxy-agent) from 2.2.2 to 2.2.4. **This update includes security fixes.**
- [Release notes](https://github.com/TooTallNate/node-https-proxy-agent/releases)
- [Commits](TooTallNate/proxy-agents@2.2.2...2.2.4)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
@dependabot-preview dependabot-preview bot added dependencies security Pull requests that address a security vulnerability labels Nov 18, 2019
@codecov
Copy link

codecov bot commented Nov 18, 2019

Codecov Report

Merging #57 into master will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@          Coverage Diff          @@
##           master    #57   +/-   ##
=====================================
  Coverage     100%   100%           
=====================================
  Files           1      1           
  Lines          42     42           
  Branches       16     16           
=====================================
  Hits           42     42
Flag Coverage Δ
#unit 100% <ø> (ø) ⬆️

@holvonixAdvay holvonixAdvay merged commit 560d6c1 into master Nov 19, 2019
@holvonixAdvay holvonixAdvay deleted the dependabot/npm_and_yarn/https-proxy-agent-2.2.4 branch November 19, 2019 17:57
holvonix-bot added a commit that referenced this pull request Nov 19, 2019
@holvonix-bot
chore(release): 1.2.7 [skip ci]
224a180 
## [1.2.7](v1.2.6...v1.2.7) (2019-11-19)

### 🐛 Bug Fixes

* **deps:** [security] bump https-proxy-agent from 2.2.2 to 2.2.4 ([#57](#57)) ([560d6c1](560d6c1))

### 🧦 Miscellaneous

* **deps-dev:** bump @holvonix-open/release-config-js ([#31](#31)) ([68eb087](68eb087))
* **deps-dev:** bump @types/node from 12.7.1 to 12.7.2 ([#19](#19)) ([b1f93d8](b1f93d8))
* **deps-dev:** bump typescript from 3.6.2 to 3.7.2 ([#52](#52)) ([05e421b](05e421b))
* deps are chores in a library by default ([9af7e21](9af7e21))
@holvonix-bot
Copy link
Contributor

🎉 This PR is included in version 1.2.7 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@holvonixAdvay holvonixAdvay Awaiting requested review from holvonixAdvay

Assignees

@holvonixAdvay holvonixAdvay

Labels
dependencies released security Pull requests that address a security vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@holvonix-bot @holvonixAdvay