Skip to content
This repository has been archived by the owner on Jan 2, 2024. It is now read-only.

fix(deps): [security] bump https-proxy-agent from 2.2.2 to 2.2.4 #18

Merged
merged 1 commit into from
Nov 19, 2019
Merged

fix(deps): [security] bump https-proxy-agent from 2.2.2 to 2.2.4 #18

merged 1 commit into from
Nov 19, 2019

Conversation

dependabot-preview[bot]
Copy link
Contributor

Bumps https-proxy-agent from 2.2.2 to 2.2.4. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Node Security Working Group.

Man-in-the-Middle
[https-proxy-agent] Socket returned without TLS upgrade on non-200 CONNECT response, allowing request data to be sent over unencrypted connection

Affected versions: <2.2.3

Sourced from The npm Advisory Database.

Man-in-the-Middle (MitM)
Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). When targeting a HTTP proxy, https-proxy-agent opens a socket to the proxy, and sends the proxy server a CONNECT request. If the proxy server responds with something other than a HTTP response 200, https-proxy-agent incorrectly returns the socket without any TLS upgrade. This request data may contain basic auth credentials or other secrets, is sent over an unencrypted connection. A suitably positioned attacker could steal these secrets and impersonate the client.

Affected versions: < 2.2.3

Release notes

Sourced from https-proxy-agent's releases.

2.2.4

Patches

  • Add .editorconfig file: a0d4a20458498fc31e5721471bd2b655e992d44b
  • Add .eslintrc.js file: eecea74a1db1c943eaa4f667a561fd47c33da897
  • Use a net.Socket instead of a plain EventEmitter for replaying proxy errors: #83
  • Remove unused stream module: 9fdcd47bd813e9979ee57920c69e2ee2e0683cd4

Credits

Huge thanks to @​lpinca for helping!

2.2.3

Patches

  • Update README with actual secureProxy behavior: #65
  • Update proxy to v1.0.0: d0e3c18079119057b05582cb72d4fda21dfc2546
  • Remove unreachable code: 46aad0988b471f042856436cf3192b0e09e36fe6
  • Test on Node.js 10 and 12: 3535951e482ea52af4888938f59649ed92e81b2b
  • Fix compatibility with Node.js >= 10.0.0: #73
  • Use an EventEmitter to replay failed proxy connect HTTP requests: #77

Credits

Huge thanks to @​stoically, @​lpinca, and @​zkochan for helping!

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in the .dependabot/config.yml file in this repo:

  • Update frequency
  • Automerge options (never/patch/minor, and dev/runtime dependencies)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

@dependabot-preview
fix(deps): [security] bump https-proxy-agent from 2.2.2 to 2.2.4
cc01c0a 
Bumps [https-proxy-agent](https://github.com/TooTallNate/node-https-proxy-agent) from 2.2.2 to 2.2.4. **This update includes security fixes.**
- [Release notes](https://github.com/TooTallNate/node-https-proxy-agent/releases)
- [Commits](TooTallNate/proxy-agents@2.2.2...2.2.4)

Signed-off-by: dependabot-preview[bot] <[email protected]>
@holvonixAdvay holvonixAdvay merged commit 145cd5c into master Nov 19, 2019
@holvonixAdvay holvonixAdvay deleted the dependabot/npm_and_yarn/https-proxy-agent-2.2.4 branch November 19, 2019 17:59
holvonix-bot added a commit that referenced this pull request Nov 19, 2019
@holvonix-bot
chore(release): 1.0.13 [skip ci]
a67cf54 
## [1.0.13](v1.0.12...v1.0.13) (2019-11-19)

### 🐛 Bug Fixes

* **deps:** [security] bump https-proxy-agent from 2.2.2 to 2.2.4 ([#18](#18)) ([](145cd5c))
* **deps:** bump semantic-release from 15.13.30 to 15.13.31 ([#17](#17)) ([](786e74b))

### 🧦 Miscellaneous

* deps are chores since this is a library ([](7c7e3c0))
@holvonix-bot
Copy link
Contributor

🎉 This PR is included in version 1.0.13 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@holvonixAdvay holvonixAdvay Awaiting requested review from holvonixAdvay

Assignees

@holvonixAdvay holvonixAdvay

Labels
dependencies released security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@holvonix-bot @holvonixAdvay