fix issue with ReDoS from the "https-proxy-agent" which should have ms version of 2.0.0

[wjrjerome]

See the following comments

[wjrjerome]

There might be a bug with NPM. if you install https-proxy-agent@0.3.6, this will pull down ms@2.0.0
If try install newrelic, it pull down https-proxy-agent v0.3.6 but with ms@0.7.3

[wjrjerome]

⇒ npm install https-proxy-agent@0.3.6
service-push@1.0.0 /Users/lito/Work/api-service-push
└─┬ https-proxy-agent@0.3.6
├── agent-base@1.0.2
├─┬ debug@2.6.8
│ └── ms@2.0.0
└── extend@3.0.1

and

⇒ npm install newrelic
service-push@1.0.0 /Users/lito/Work/api-service-push
└─┬ newrelic@1.39.1
├─┬ concat-stream@1.6.0
│ ├── inherits@2.0.3
│ ├─┬ readable-stream@2.2.9
│ │ ├── buffer-shims@1.0.0
│ │ ├── core-util-is@1.0.2
│ │ ├── isarray@1.0.0
│ │ ├── process-nextick-args@1.0.7
│ │ ├── string_decoder@1.0.0
│ │ └── util-deprecate@1.0.2
│ └── typedarray@0.0.6
├─┬ https-proxy-agent@0.3.6
│ ├── agent-base@1.0.2
│ ├─┬ debug@2.6.6
│ │ └── ms@0.7.3
│ └── extend@3.0.1
├── json-stringify-safe@5.0.1
├─┬ readable-stream@1.1.14
│ ├── core-util-is@1.0.2
│ ├── inherits@2.0.3
│ ├── isarray@0.0.1
│ └── string_decoder@0.10.31
└── semver@5.3.0

[wjrjerome]

Could someone take a look?

[NatalieWolfe]

Hi @wjrjerome,

This is not a bug in npm, but an artifact of our bundling of dependencies with the agent. At the time that we published the last version of the agent (v1.39.1 on 2017-05-11), the debug module was at 2.6.6 which is reflected in the npm ls you've provided. This version of debug has ms@0.7.3 in their package.json. Since then, debug has had two more releases and upgraded to ms@2.0.0. Our next release of the agent will pick up this newer version, and you can expect this release soon.

[NatalieWolfe]

We just released version 1.40.0 and it now comes with ms@2.0.0. Please let me know if this works for you now or if anything else has come up. Thanks!

$ npm ls
t@1.0.0 /Users/nwolfe/t
├─┬ https-proxy-agent@0.3.6
│ ├── agent-base@1.0.2
│ ├─┬ debug@2.6.8
│ │ └── ms@2.0.0
│ └── extend@3.0.1
└─┬ newrelic@1.40.0
  ├─┬ concat-stream@1.6.0
  │ ├── inherits@2.0.3
  │ ├─┬ readable-stream@2.2.11
  │ │ ├── core-util-is@1.0.2
  │ │ ├── inherits@2.0.3 deduped
  │ │ ├── isarray@1.0.0
  │ │ ├── process-nextick-args@1.0.7
  │ │ ├── safe-buffer@5.0.1
  │ │ ├─┬ string_decoder@1.0.2
  │ │ │ └── safe-buffer@5.0.1 deduped
  │ │ └── util-deprecate@1.0.2
  │ └── typedarray@0.0.6
  ├─┬ https-proxy-agent@0.3.6
  │ ├── agent-base@1.0.2
  │ ├─┬ debug@2.6.8
  │ │ └── ms@2.0.0
  │ └── extend@3.0.1
  ├── json-stringify-safe@5.0.1
  ├─┬ readable-stream@1.1.14
  │ ├── core-util-is@1.0.2
  │ ├── inherits@2.0.3
  │ ├── isarray@0.0.1
  │ └── string_decoder@0.10.31
  └── semver@5.3.0

[NatalieWolfe]

Hi @wjrjerome, have you had a chance to try version 1.40.0? Does it resolve your issue?

[wjrjerome]

Hi @NatalieWolfe ,
Apology for the late response. Yes, we tested and it's all good now. I will close the PR.

Many thanks

[NatalieWolfe]

Awesome! Glad we could fix this for you.