[Security] `follow-redirects` Information Exposure

[tobiasqueck]

Description

follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.

More information at https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6444610

Tasks

• [x] user overrides to remove the nested dependencies to the vulnerable version (#1766)
• [ ] Remove "nx-cloud>axios@<1.6.8": ">=1.6.8" as soon as possible
• [ ] Remove "@sap/bas-sdk>axios@<1.6.8": ">=1.6.8"as soon as possible
• [x] Remove "http-proxy>follow-redirects@<1.15.6": ">=1.15.6"as soon as possible
• [x] Remove "socks-proxy-agent>socks@<2.8.1": ">=2.8.1"as soon as possible
• [x] Remove "ip@<2.0.1": ">=2.0.1" as soon as possible

[donal-tobin-sap]

• No update for https://www.npmjs.com/package/nx-cloud or https://www.npmjs.com/package/@nrwl/nx-cloud at this time
• Has not made required axios update yet https://www.npmjs.com/package/@sap/bas-sdk?activeTab=code
• No update for https://www.npmjs.com/package/http-proxy at this time (as last change was 4 years ago it is likely it never will)
• No update yet for https://www.npmjs.com/package/make-fetch-happen which is the source for socks-proxy-agent
• story book can probably be upgraded https://www.npmjs.com/package/@storybook/core-server/v/7.6.18?activeTab=code to get ip fix