Man In the Middle vulnerability

[medikoo]

Medium level.

Reported by Snyk: https://app.snyk.io/test/npm/https-proxy-agent/2.2.2

[kachkaev]

@TooTallNate seems like Snyk flags 3.0.0 as vulnerable as well: https://app.snyk.io/test/npm/https-proxy-agent/3.0.0

Do you think it's just a matter of them re-running the audit manually? Or is their report still legit?

[TooTallNate]

I think something needs to be updated / reported on their end. Same for the HackerOne report.

[kachkaev]

@lirantal could you please help us here? 🙏

[lirantal]

FYI that Snyk has public patches that can be applied if needed: https://app.snyk.io/vuln/SNYK-JS-HTTPSPROXYAGENT-469131 and the Snyk tooling helps with applying these patches when no upgrade path is available.

Looks like @TooTallNate had only commented on the HackerOne report with a fix some 20 minutes ago so this is all fairly new. I'll update the Snyk team with this so we can triage and update fix availability as well as thee Node.js Security WG repo too.

[lirantal]

We've pushed the update to support 3.0.0 as a fixed version of the module and will be reported as such by Snyk starting tomorrow. Please ping me using the mention tag otherwise and I'll chime in to check what's up.

[benjifin]

Hey just a heads up from Snyk's side - we've verified and released the update to support 3.0.0 as the fixed version. Thanks for pulling us in here to let us know about the fix (we do track all unfixed packages for releases, but always helpful when we get a heads up as well!)

[AaronFriel]

It would be enormously helpful, I think, for downstream consumers to publish a new patch version matching the semver ^2. By bumping the major version at the same time, thousands of reverse dependencies are broken and npm audit fix doesn't resolve the problem for them. This has resulted in, for example, most of the @google-cloud ecosystem of packages being broken (npm audit fails in CI systems and npm audit fix cannot resolve it) as of the time I write this.

[AaronFriel]

(Just as an aside, bumping the major version is not recommended by anyone as a response to a security vulnerability!)

[AaronFriel]

See: #84

[lirantal]

@AaronFriel the Snyk patch is compatible with 2.x:

see here for the links and details

[hiendv]

@AaronFriel Couldn't agree more. Why bumping a major version for a security fix? Now it cannot be automatically resolved.

[chkp-talron]

same issue here, can't use "npm audit fix", which breaks our pipeline also, version 3.0.0 is not promoted to be latest version