Man-in-the-Middle vulnerability in dependency https-proxy-agent

[qibobo]

Our customer reported a Man-in-the-Middle vulnerability in bluemix-autoscaling-agent caused by https-proxy-agent v2.2.4. The module bluemix-autoscaling-agent uses the latest version appmetrics v5.1.1 and https-proxy-agent v2.2.4 is a dependency of appmetrics. As it is mentioned https://hackerone.com/reports/541502, the vulnerability has been fixed in v3.0.0. Could you take a look at it?

[mattcolegate]

Appmetrics does not explicitly depend on https-proxy-agent, but one of our dependencies does:

appmetrics -> ibmapm-embed -> ibmapm-restclient -> https-proxy-agent

I've raised https://github.com/IBM/node-ibmapm-restclient/issues/4 to try and get ibmapm-restclient updated, and will follow up with an issue to ibmapm-embed once that is satisfactorily resolved.

One of our devDependencies also does, but that shouldn't affect your customer as devDependencies should not be installed outside of development environments.

appmetrics -> codecov -> teeny-request -> https-proxy-agent

The fix for this path is currently blocked by https://github.com/codecov/codecov-node/pull/158. I've asked for an update in that PR.

[mattcolegate]

https://github.com/IBM/node-ibmapm-restclient/commit/7200d87bedc69596f35b6d1604046ae7a49fffb9 has updated the https-proxy-agent dependency for ibmapm-restclient to 4.0.0. This has percolated through to bluemix-autoscaling-agent successfully within existing dependency restrictions and therefore this issue can be closed.