search

TooTallNate / proxy-agents

Node.js HTTP Proxy Agents Monorepo
https://proxy-agents.n8.io
919 stars 239 forks source link

Please create a 2.x branch and pull in this commit and publish #84

Closed AaronFriel closed 4 years ago

AaronFriel commented 4 years ago

This will unblock many, many people who are unable to resolve npm audit errors in their CI/CD system.

https://github.com/AaronFriel/node-https-proxy-agent/commit/25d3006b5d49ed93c68ce6b684fbeb0a34e2545f

stabback commented 4 years ago

Update Oct 22/2019

This should no longer be an issue, so do not follow the below steps. If you're coming from the future, this will likely not solve your problem.

See https://github.com/TooTallNate/node-https-proxy-agent/issues/84#issuecomment-544993571 around the resolution. 2.2.3 of https-proxy-agent has been released.

If you have followed the below, remove the workaround with:

  1. npm uninstall npm-force-resolutions
  2. Remove the resolutions member from your package.json
  3. Remove your package-lock.json and node_modules 
    rm -r node_modules
rm package-lock.json
  4. Install everything npm i
  5. Re-run your audit npm audit

Original fix

In case anyone else's deploys are stuck on this - https://www.npmjs.com/package/npm-force-resolutions may help you out while this is addressed, or while your dependencies update their dependencies (which may need to update their dependencies...)

  1. npm i --save-dev npm-force-resolutions
  2. Add this to your package.json 
    "resolutions": {
    "https-proxy-agent": "^3.0.0"
}
  3. Let npm-force-resolutions do it's thing 
    rm -r node_modules
npx npm-force-resolutions
npm install
  4. re-run your audit npm audit.

This will force your dependencies to update to 3.0.1 as of right now. The bump from 2.2.2 to 3.0.0 can be read about here: https://github.com/TooTallNate/node-https-proxy-agent/releases/tag/3.0.0

Summary of major changes:

So if you're not running those versions of node, you should be fine. Run your tests, and ensure your application is running fine manually.

Remember to get rid of this workaround as soon as either

  1. The security fix is properly applied to 2.2.x
  2. All of your various dependencies update their versions.
jsphkm commented 4 years ago

Thanks, I can confirm that this worked. However, the message came back when I removed a package that is dependent of https-proxy-agent

In that case, I ran the commands again to fix it

rm -r node_modules
npx npm-force-resolutions
npm install
manoharreddyporeddy commented 4 years ago

With above steps, it only temporarily goes away. npm i gets the issue back.

louislva commented 4 years ago

@TooTallNate would you be able to publish/merge @AaronFriel's patch?

ineffyble commented 4 years ago

Please do this.

khitrenovich commented 4 years ago

I see that v2.2.3 with the same fix was released couple of hours ago. Is anybody aware about the right way to update the advisory so that npm audit will treat v2.2.3 as patched?

XhmikosR commented 4 years ago

https://help.github.com/en/github/managing-security-vulnerabilities/about-security-alerts-for-vulnerable-dependencies#data-sources-for-security-alerts

Someone should contact GitHub to speed things up.

khitrenovich commented 4 years ago

I just pinged npm security team via email, not sure what's the right way to fix GitHub audit.

khitrenovich commented 4 years ago

I just pinged npm security team via email, not sure what's the right way to fix GitHub audit.

The npm advisory was just updated to mention 2.2.3 as not vulnerable - https://www.npmjs.com/advisories/1184/versions

image

TooTallNate commented 4 years ago

Done in v2.2.3.