Closed AaronFriel closed 4 years ago
This should no longer be an issue, so do not follow the below steps. If you're coming from the future, this will likely not solve your problem.
See https://github.com/TooTallNate/node-https-proxy-agent/issues/84#issuecomment-544993571 around the resolution. 2.2.3 of https-proxy-agent has been released.
If you have followed the below, remove the workaround with:
npm uninstall npm-force-resolutions
resolutions
member from your package.jsonrm -r node_modules
rm package-lock.json
npm i
npm audit
In case anyone else's deploys are stuck on this - https://www.npmjs.com/package/npm-force-resolutions may help you out while this is addressed, or while your dependencies update their dependencies (which may need to update their dependencies...)
npm i --save-dev npm-force-resolutions
"resolutions": {
"https-proxy-agent": "^3.0.0"
}
rm -r node_modules
npx npm-force-resolutions
npm install
npm audit
.This will force your dependencies to update to 3.0.1 as of right now. The bump from 2.2.2 to 3.0.0 can be read about here: https://github.com/TooTallNate/node-https-proxy-agent/releases/tag/3.0.0
Summary of major changes:
So if you're not running those versions of node, you should be fine. Run your tests, and ensure your application is running fine manually.
Remember to get rid of this workaround as soon as either
Thanks, I can confirm that this worked. However, the message came back when I removed a package that is dependent of https-proxy-agent
In that case, I ran the commands again to fix it
rm -r node_modules
npx npm-force-resolutions
npm install
With above steps, it only temporarily goes away. npm i gets the issue back.
@TooTallNate would you be able to publish/merge @AaronFriel's patch?
Please do this.
I see that v2.2.3 with the same fix was released couple of hours ago. Is anybody aware about the right way to update the advisory so that npm audit
will treat v2.2.3 as patched?
Someone should contact GitHub to speed things up.
I just pinged npm security team via email, not sure what's the right way to fix GitHub audit.
I just pinged npm security team via email, not sure what's the right way to fix GitHub audit.
The npm advisory was just updated to mention 2.2.3 as not vulnerable - https://www.npmjs.com/advisories/1184/versions
Done in v2.2.3.
This will unblock many, many people who are unable to resolve
npm audit
errors in their CI/CD system.https://github.com/AaronFriel/node-https-proxy-agent/commit/25d3006b5d49ed93c68ce6b684fbeb0a34e2545f