Skip to content
This repository has been archived by the owner on Jan 10, 2023. It is now read-only.

npm audit reports vulnerability about https-proxy-agent #157

Closed
yhatt opened this issue Oct 18, 2019 · 3 comments
Closed

npm audit reports vulnerability about https-proxy-agent #157

yhatt opened this issue Oct 18, 2019 · 3 comments

Comments

@yhatt
Copy link
Contributor

yhatt commented Oct 18, 2019

[email protected] has reported vulnerability of https-proxy-agent deep dependency by running npm audit (or yarn audit).
https://npmjs.com/advisories/1184

$ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Machine-In-The-Middle                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ https-proxy-agent                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ codecov [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ codecov > teeny-request > https-proxy-agent                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1184                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 21 scanned packages
  1 vulnerability requires manual review. See the full report for details.

codecov-node is using teeny-request v3 but the latest is v5.3.0, has included the patched https-proxy-agent v3.0.0.
This was referenced Oct 18, 2019
Merged
Merged
@bbaker6225 bbaker6225 mentioned this issue Oct 21, 2019
Merged
@yhatt
Copy link
Contributor Author

yhatt commented Nov 5, 2019

Now the patched https-proxy-agent >= v2.2.3 looks like available.

@yhatt yhatt closed this as completed Nov 5, 2019
@xurei
Copy link

xurei commented Dec 19, 2019

Why is this closed ? The issue is still there.

@yhatt
Copy link
Contributor Author

yhatt commented Dec 23, 2019

@xurei This is no longer reproduced in both of my environment and a clean project (npm i --save-dev codecov && npm audit).

Probably you may have not been updated deep dependency. Try running npm --depth 3 update https-proxy-agent in your project to fix.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xurei @yhatt