Bumps https-proxy-agent from 2.2.1 to 2.2.4. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The Node Security Working Group](https://github.com/nodejs/security-wg/blob/master/vuln/npm/505.json).*
> **Man-in-the-Middle**
> [https-proxy-agent] Socket returned without TLS upgrade on non-200 CONNECT response, allowing request data to be sent over unencrypted connection
>
> Affected versions: <2.2.3
*Sourced from [The npm Advisory Database](https://cwe.mitre.org/data/definitions/300.html).*
> **Man-in-the-Middle (MitM)**
> Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). When targeting a HTTP proxy, https-proxy-agent opens a socket to the proxy, and sends the proxy server a CONNECT request. If the proxy server responds with something other than a HTTP response 200, https-proxy-agent incorrectly returns the socket without any TLS upgrade. This request data may contain basic auth credentials or other secrets, is sent over an unencrypted connection. A suitably positioned attacker could steal these secrets and impersonate the client.
>
> Affected versions: < 2.2.3
Release notes
*Sourced from [https-proxy-agent's releases](https://github.com/TooTallNate/node-https-proxy-agent/releases).*
> ## 2.2.4
> ### Patches
>
> - Add `.editorconfig` file: a0d4a20458498fc31e5721471bd2b655e992d44b
> - Add `.eslintrc.js` file: eecea74a1db1c943eaa4f667a561fd47c33da897
> - Use a `net.Socket` instead of a plain `EventEmitter` for replaying proxy errors: [#83](https://github-redirect.dependabot.com/TooTallNate/node-https-proxy-agent/issues/83)
> - Remove unused `stream` module: 9fdcd47bd813e9979ee57920c69e2ee2e0683cd4
>
> ### Credits
>
> Huge thanks to [@lpinca](https://github.com/lpinca) for helping!
>
> ## 2.2.3
> ### Patches
>
> - Update README with actual `secureProxy` behavior: [#65](https://github-redirect.dependabot.com/TooTallNate/node-https-proxy-agent/issues/65)
> - Update `proxy` to v1.0.0: d0e3c18079119057b05582cb72d4fda21dfc2546
> - Remove unreachable code: 46aad0988b471f042856436cf3192b0e09e36fe6
> - Test on Node.js 10 and 12: 3535951e482ea52af4888938f59649ed92e81b2b
> - Fix compatibility with Node.js >= 10.0.0: [#73](https://github-redirect.dependabot.com/TooTallNate/node-https-proxy-agent/issues/73)
> - Use an `EventEmitter` to replay failed proxy connect HTTP requests: [#77](https://github-redirect.dependabot.com/TooTallNate/node-https-proxy-agent/issues/77)
>
> ### Credits
>
> Huge thanks to [@stoically](https://github.com/stoically), [@lpinca](https://github.com/lpinca), and [@zkochan](https://github.com/zkochan) for helping!
>
> ## 2.2.2
> ### Patches
>
> - Remove `package-lock.json`: c881009b9873707f5c4a0e9c277dde588e1139c7
> - Ignore test directory, History.md and .travis.yml when creating npm package. Fixes [#42](https://github-redirect.dependabot.com/TooTallNate/node-https-proxy-agent/issues/42): [#45](https://github-redirect.dependabot.com/TooTallNate/node-https-proxy-agent/issues/45)
> - Update `agent-base` to v4.2: [#50](https://github-redirect.dependabot.com/TooTallNate/node-https-proxy-agent/issues/50)
> - Add TypeScript type definitions: [#66](https://github-redirect.dependabot.com/TooTallNate/node-https-proxy-agent/issues/66)
> - Feat(typescript): Allow input to be options or string: [#68](https://github-redirect.dependabot.com/TooTallNate/node-https-proxy-agent/issues/68)
> - Update `agent-base` to v4.3: [#69](https://github-redirect.dependabot.com/TooTallNate/node-https-proxy-agent/issues/69)
>
> ### Credits
>
> Huge thanks to [@marco-c](https://github.com/marco-c), [@tareqhs](https://github.com/tareqhs), [@ianhowe76](https://github.com/ianhowe76), and [@BYK](https://github.com/BYK) for helping!
Commits
- [`4c4cce8`](https://github.com/TooTallNate/node-https-proxy-agent/commit/4c4cce8cb60fd3ac6171e4428f972698eb49f45a) 2.2.4
- [`9fdcd47`](https://github.com/TooTallNate/node-https-proxy-agent/commit/9fdcd47bd813e9979ee57920c69e2ee2e0683cd4) Remove unused `stream` module
- [`34ea884`](https://github.com/TooTallNate/node-https-proxy-agent/commit/34ea8841922fb6447563b0521f972ac3a6062303) Use a `net.Socket` instead of a plain `EventEmitter` for replaying proxy erro...
- [`4296770`](https://github.com/TooTallNate/node-https-proxy-agent/commit/4296770b6a0e631e3f8e7bd6cfd41ac8e91a3ec4) Prettier
- [`eecea74`](https://github.com/TooTallNate/node-https-proxy-agent/commit/eecea74a1db1c943eaa4f667a561fd47c33da897) Add `.eslintrc.js` file
- [`a0d4a20`](https://github.com/TooTallNate/node-https-proxy-agent/commit/a0d4a20458498fc31e5721471bd2b655e992d44b) Add `.editorconfig` file
- [`0d8e8bf`](https://github.com/TooTallNate/node-https-proxy-agent/commit/0d8e8bfe8b12e6ffe79a39eb93068cdf64c17e78) 2.2.3
- [`850b835`](https://github.com/TooTallNate/node-https-proxy-agent/commit/850b8359b7d0467d721705106b58f4c7cfb937dd) Revert "Use Mocha 5 for Node 4 support"
- [`f5f56fa`](https://github.com/TooTallNate/node-https-proxy-agent/commit/f5f56fa48ea4d2a61c385938e7753f5c1fe049d6) Remove Node 4 from Travis
- [`bb837b9`](https://github.com/TooTallNate/node-https-proxy-agent/commit/bb837b984bd868ad69080812eb8eab01181b21d7) Revert "Remove Node 4 from Travis"
- Additional commits viewable in [compare view](https://github.com/TooTallNate/node-https-proxy-agent/compare/2.2.1...2.2.4)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot will not automatically merge this PR because it includes a security patch update to a production dependency.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Bumps https-proxy-agent from 2.2.1 to 2.2.4. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The Node Security Working Group](https://github.com/nodejs/security-wg/blob/master/vuln/npm/505.json).* > **Man-in-the-Middle** > [https-proxy-agent] Socket returned without TLS upgrade on non-200 CONNECT response, allowing request data to be sent over unencrypted connection > > Affected versions: <2.2.3 *Sourced from [The npm Advisory Database](https://cwe.mitre.org/data/definitions/300.html).* > **Man-in-the-Middle (MitM)** > Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). When targeting a HTTP proxy, https-proxy-agent opens a socket to the proxy, and sends the proxy server a CONNECT request. If the proxy server responds with something other than a HTTP response 200, https-proxy-agent incorrectly returns the socket without any TLS upgrade. This request data may contain basic auth credentials or other secrets, is sent over an unencrypted connection. A suitably positioned attacker could steal these secrets and impersonate the client. > > Affected versions: < 2.2.3Release notes
*Sourced from [https-proxy-agent's releases](https://github.com/TooTallNate/node-https-proxy-agent/releases).* > ## 2.2.4 > ### Patches > > - Add `.editorconfig` file: a0d4a20458498fc31e5721471bd2b655e992d44b > - Add `.eslintrc.js` file: eecea74a1db1c943eaa4f667a561fd47c33da897 > - Use a `net.Socket` instead of a plain `EventEmitter` for replaying proxy errors: [#83](https://github-redirect.dependabot.com/TooTallNate/node-https-proxy-agent/issues/83) > - Remove unused `stream` module: 9fdcd47bd813e9979ee57920c69e2ee2e0683cd4 > > ### Credits > > Huge thanks to [@lpinca](https://github.com/lpinca) for helping! > > ## 2.2.3 > ### Patches > > - Update README with actual `secureProxy` behavior: [#65](https://github-redirect.dependabot.com/TooTallNate/node-https-proxy-agent/issues/65) > - Update `proxy` to v1.0.0: d0e3c18079119057b05582cb72d4fda21dfc2546 > - Remove unreachable code: 46aad0988b471f042856436cf3192b0e09e36fe6 > - Test on Node.js 10 and 12: 3535951e482ea52af4888938f59649ed92e81b2b > - Fix compatibility with Node.js >= 10.0.0: [#73](https://github-redirect.dependabot.com/TooTallNate/node-https-proxy-agent/issues/73) > - Use an `EventEmitter` to replay failed proxy connect HTTP requests: [#77](https://github-redirect.dependabot.com/TooTallNate/node-https-proxy-agent/issues/77) > > ### Credits > > Huge thanks to [@stoically](https://github.com/stoically), [@lpinca](https://github.com/lpinca), and [@zkochan](https://github.com/zkochan) for helping! > > ## 2.2.2 > ### Patches > > - Remove `package-lock.json`: c881009b9873707f5c4a0e9c277dde588e1139c7 > - Ignore test directory, History.md and .travis.yml when creating npm package. Fixes [#42](https://github-redirect.dependabot.com/TooTallNate/node-https-proxy-agent/issues/42): [#45](https://github-redirect.dependabot.com/TooTallNate/node-https-proxy-agent/issues/45) > - Update `agent-base` to v4.2: [#50](https://github-redirect.dependabot.com/TooTallNate/node-https-proxy-agent/issues/50) > - Add TypeScript type definitions: [#66](https://github-redirect.dependabot.com/TooTallNate/node-https-proxy-agent/issues/66) > - Feat(typescript): Allow input to be options or string: [#68](https://github-redirect.dependabot.com/TooTallNate/node-https-proxy-agent/issues/68) > - Update `agent-base` to v4.3: [#69](https://github-redirect.dependabot.com/TooTallNate/node-https-proxy-agent/issues/69) > > ### Credits > > Huge thanks to [@marco-c](https://github.com/marco-c), [@tareqhs](https://github.com/tareqhs), [@ianhowe76](https://github.com/ianhowe76), and [@BYK](https://github.com/BYK) for helping!Commits
- [`4c4cce8`](https://github.com/TooTallNate/node-https-proxy-agent/commit/4c4cce8cb60fd3ac6171e4428f972698eb49f45a) 2.2.4 - [`9fdcd47`](https://github.com/TooTallNate/node-https-proxy-agent/commit/9fdcd47bd813e9979ee57920c69e2ee2e0683cd4) Remove unused `stream` module - [`34ea884`](https://github.com/TooTallNate/node-https-proxy-agent/commit/34ea8841922fb6447563b0521f972ac3a6062303) Use a `net.Socket` instead of a plain `EventEmitter` for replaying proxy erro... - [`4296770`](https://github.com/TooTallNate/node-https-proxy-agent/commit/4296770b6a0e631e3f8e7bd6cfd41ac8e91a3ec4) Prettier - [`eecea74`](https://github.com/TooTallNate/node-https-proxy-agent/commit/eecea74a1db1c943eaa4f667a561fd47c33da897) Add `.eslintrc.js` file - [`a0d4a20`](https://github.com/TooTallNate/node-https-proxy-agent/commit/a0d4a20458498fc31e5721471bd2b655e992d44b) Add `.editorconfig` file - [`0d8e8bf`](https://github.com/TooTallNate/node-https-proxy-agent/commit/0d8e8bfe8b12e6ffe79a39eb93068cdf64c17e78) 2.2.3 - [`850b835`](https://github.com/TooTallNate/node-https-proxy-agent/commit/850b8359b7d0467d721705106b58f4c7cfb937dd) Revert "Use Mocha 5 for Node 4 support" - [`f5f56fa`](https://github.com/TooTallNate/node-https-proxy-agent/commit/f5f56fa48ea4d2a61c385938e7753f5c1fe049d6) Remove Node 4 from Travis - [`bb837b9`](https://github.com/TooTallNate/node-https-proxy-agent/commit/bb837b984bd868ad69080812eb8eab01181b21d7) Revert "Remove Node 4 from Travis" - Additional commits viewable in [compare view](https://github.com/TooTallNate/node-https-proxy-agent/compare/2.2.1...2.2.4)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot will not automatically merge this PR because it includes a security patch update to a production dependency.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)