build(deps): [security] bump https-proxy-agent from 2.2.1 to 2.2.4 (!2275) · Merge requests · Hannes Heine / Ocelot-Social

Hannes Heine requested to merge pr2274head into pr2274base Oct 05, 2020

Created by: Tirokk

Authored by dependabot-preview[bot] Nov 18, 2019 Merged Nov 18, 2019

Bumps https-proxy-agent from 2.2.1 to 2.2.4. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Node Security Working Group.

Man-in-the-Middle [https-proxy-agent] Socket returned without TLS upgrade on non-200 CONNECT response, allowing request data to be sent over unencrypted connection

Affected versions: <2.2.3

Sourced from The npm Advisory Database.

Man-in-the-Middle (MitM) Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). When targeting a HTTP proxy, https-proxy-agent opens a socket to the proxy, and sends the proxy server a CONNECT request. If the proxy server responds with something other than a HTTP response 200, https-proxy-agent incorrectly returns the socket without any TLS upgrade. This request data may contain basic auth credentials or other secrets, is sent over an unencrypted connection. A suitably positioned attacker could steal these secrets and impersonate the client.

Affected versions: < 2.2.3

Release notes

Sourced from https-proxy-agent's releases.

2.2.4

Patches

Add .editorconfig file: a0d4a20458498fc31e5721471bd2b655e992d44b

Add .eslintrc.js file: eecea74a1db1c943eaa4f667a561fd47c33da897

Use a net.Socket instead of a plain EventEmitter for replaying proxy errors: #83

Remove unused stream module: 9fdcd47bd813e9979ee57920c69e2ee2e0683cd4

Credits

Huge thanks to @lpinca for helping!

2.2.3

Patches

Update README with actual secureProxy behavior: #65

Update proxy to v1.0.0: d0e3c18079119057b05582cb72d4fda21dfc2546

Remove unreachable code: 46aad0988b471f042856436cf3192b0e09e36fe6

Test on Node.js 10 and 12: 3535951e482ea52af4888938f59649ed92e81b2b

Fix compatibility with Node.js >= 10.0.0: #73

Use an EventEmitter to replay failed proxy connect HTTP requests: #77

Credits

Huge thanks to @stoically, @lpinca, and @zkochan for helping!

2.2.2

Patches

Remove package-lock.json: c881009b9873707f5c4a0e9c277dde588e1139c7

Ignore test directory, History.md and .travis.yml when creating npm package. Fixes #42: #45

Update agent-base to v4.2: #50

Add TypeScript type definitions: #66

Feat(typescript): Allow input to be options or string: #68

Update agent-base to v4.3: #69

Credits

Huge thanks to @marco-c, @tareqhs, @ianhowe76, and @BYK for helping!

Commits

4c4cce8 2.2.4
9fdcd47 Remove unused stream module
34ea884 Use a net.Socket instead of a plain EventEmitter for replaying proxy erro...
4296770 Prettier
eecea74 Add .eslintrc.js file
a0d4a20 Add .editorconfig file
0d8e8bf 2.2.3
850b835 Revert "Use Mocha 5 for Node 4 support"
f5f56fa Remove Node 4 from Travis
bb837b9 Revert "Remove Node 4 from Travis"
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
@dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

Update frequency (including time of day and day of week)
Pull request limits (per update run and/or open at any time)
Automerge options (never/patch/minor, and dev/runtime dependencies)
Out-of-range updates (receive only lockfile updates, if desired)
Security updates (receive only security updates, if desired)

build(deps): [security] bump https-proxy-agent from 2.2.1 to 2.2.4

2.2.4

Patches

Credits

2.2.3

Patches

Credits

2.2.2

Patches

Credits

Merge request reports