[Security] Bump https-proxy-agent from 2.2.1 to 2.2.4

[dependabot-preview]

Bumps https-proxy-agent from 2.2.1 to 2.2.4. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Node Security Working Group.

Man-in-the-Middle
[https-proxy-agent] Socket returned without TLS upgrade on non-200 CONNECT response, allowing request data to be sent over unencrypted connection

Affected versions: <2.2.3

Sourced from The npm Advisory Database.

Man-in-the-Middle (MitM)
Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). When targeting a HTTP proxy, https-proxy-agent opens a socket to the proxy, and sends the proxy server a CONNECT request. If the proxy server responds with something other than a HTTP response 200, https-proxy-agent incorrectly returns the socket without any TLS upgrade. This request data may contain basic auth credentials or other secrets, is sent over an unencrypted connection. A suitably positioned attacker could steal these secrets and impersonate the client.

Affected versions: < 2.2.3

Release notes

Sourced from https-proxy-agent's releases.

2.2.4

Patches

• Add .editorconfig file: a0d4a20458498fc31e5721471bd2b655e992d44b
• Add .eslintrc.js file: eecea74a1db1c943eaa4f667a561fd47c33da897
• Use a net.Socket instead of a plain EventEmitter for replaying proxy errors: #83
• Remove unused stream module: 9fdcd47bd813e9979ee57920c69e2ee2e0683cd4

Credits

Huge thanks to @​lpinca for helping!

2.2.3

Patches

• Update README with actual secureProxy behavior: #65
• Update proxy to v1.0.0: d0e3c18079119057b05582cb72d4fda21dfc2546
• Remove unreachable code: 46aad0988b471f042856436cf3192b0e09e36fe6
• Test on Node.js 10 and 12: 3535951e482ea52af4888938f59649ed92e81b2b
• Fix compatibility with Node.js >= 10.0.0: #73
• Use an EventEmitter to replay failed proxy connect HTTP requests: #77

Credits

Huge thanks to @​stoically, @​lpinca, and @​zkochan for helping!

2.2.2

Patches

• Remove package-lock.json: c881009b9873707f5c4a0e9c277dde588e1139c7
• Ignore test directory, History.md and .travis.yml when creating npm package. Fixes #42: #45
• Update agent-base to v4.2: #50
• Add TypeScript type definitions: #66
• Feat(typescript): Allow input to be options or string: #68
• Update agent-base to v4.3: #69

Credits

Huge thanks to @​marco-c, @​tareqhs, @​ianhowe76, and @​BYK for helping!

Commits

• 4c4cce8 2.2.4
• 9fdcd47 Remove unused stream module
• 34ea884 Use a net.Socket instead of a plain EventEmitter for replaying proxy erro...
• 4296770 Prettier
• eecea74 Add .eslintrc.js file
• a0d4a20 Add .editorconfig file
• 0d8e8bf 2.2.3
• 850b835 Revert "Use Mocha 5 for Node 4 support"
• f5f56fa Remove Node 4 from Travis
• bb837b9 Revert "Remove Node 4 from Travis"
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[codecov]

Codecov Report

Merging #505 into master will not change coverage.
The diff coverage is n/a.

@@            Coverage Diff            @@
##             master     #505   +/-   ##
=========================================
  Coverage     56.07%   56.07%           
  Complexity      263      263           
=========================================
  Files            17       17           
  Lines           922      922           
=========================================
  Hits            517      517           
  Misses          405      405

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1c89d10...7e2aeb8. Read the comment docs.

[phil-davis]

@micbar another patch release that has the security label