Closed qibobo closed 4 years ago
Appmetrics does not explicitly depend on https-proxy-agent
, but one of our dependencies does:
appmetrics
-> ibmapm-embed
-> ibmapm-restclient
-> https-proxy-agent
I've raised https://github.com/IBM/node-ibmapm-restclient/issues/4 to try and get ibmapm-restclient
updated, and will follow up with an issue to ibmapm-embed
once that is satisfactorily resolved.
One of our devDependencies also does, but that shouldn't affect your customer as devDependencies should not be installed outside of development environments.
appmetrics
-> codecov
-> teeny-request
-> https-proxy-agent
The fix for this path is currently blocked by https://github.com/codecov/codecov-node/pull/158. I've asked for an update in that PR.
https://github.com/IBM/node-ibmapm-restclient/commit/7200d87bedc69596f35b6d1604046ae7a49fffb9 has updated the https-proxy-agent
dependency for ibmapm-restclient
to 4.0.0
. This has percolated through to bluemix-autoscaling-agent
successfully within existing dependency restrictions and therefore this issue can be closed.
Our customer reported a Man-in-the-Middle vulnerability in bluemix-autoscaling-agent caused by https-proxy-agent v2.2.4. The module bluemix-autoscaling-agent uses the latest version appmetrics v5.1.1 and https-proxy-agent v2.2.4 is a dependency of appmetrics. As it is mentioned https://hackerone.com/reports/541502, the vulnerability has been fixed in v3.0.0. Could you take a look at it?