Security Vulnerability in Dependency | follow-redirects

[shyamprasadc]

Checks

• [X] I understand project setup issues should be asked on StackOverflow or in GitHub Discussions.
• [X] I updated to latest http-proxy-middleware.

Describe the bug (be clear and concise)

Follow Redirects improperly handles URLs in the url.parse() Patched Version: >=1.15.4

Step-by-step reproduction instructions

1. ...
2. ...

Expected behavior (be clear and concise)

I expected http-proxy-middleware to use follow-redirects version >= 1.15.4, addressing a security vulnerability related to improper URL handling in the url.parse() function.

How is http-proxy-middleware used in your project?

yarn add http-proxy-middleware

What http-proxy-middleware configuration are you using?

{
  target: config.baseUrl,
  changeOrigin: true,
  onProxyReq: (proxyReq: any, req: Request, _res: Response) => {
    if (!req.body || !Object.keys(req.body).length) {
      return;
    }
    const contentType = proxyReq.getHeader("Content-Type");
    const writeBody = (bodyData: string) => {
      proxyReq.setHeader("Content-Length", Buffer.byteLength(bodyData));
      proxyReq.write(bodyData);
    };
    if (contentType.includes("application/json")) {
      writeBody(JSON.stringify(req.body));
    }
    if (contentType.includes("application/x-www-form-urlencoded")) {
      writeBody(queryString.stringify(req.body));
    }
  },
  onProxyRes: (proxyRes: any, req: Request, res: Response) => {
    const exchange = `[PROXY] ${proxyRes.statusCode} ${req.method} ${req.path} -> ${proxyRes.req.protocol}//${proxyRes.req.host}${proxyRes.req.path}`;
    logger.info(exchange);
  },
}

What OS/version and node/version are you seeing the problem?

http-proxy-middleware: ^2.0.6 node: 16.20.2

Additional context (optional)

No response

[cupofjoakim]

Dependabot has created a PR for the upgrade: https://github.com/chimurai/http-proxy-middleware/pull/961

[chimurai]

refresh your package lock file and you should get the latest follow-redirects version