search

ddsol / speedtest.net

node.js SpeedTest.net client module
MIT License
607 stars 126 forks source link

Known vulnerability in https-proxy-agent v2 #94

Closed ivarprudnikov closed 4 years ago

ivarprudnikov commented 4 years ago

Npm audit found a vulnerability in https-proxy-agent used by this module.

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Machine-In-The-Middle                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ https-proxy-agent                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ speedtest-net [dev]                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ speedtest-net > https-proxy-agent                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1184                      │
└───────────────┴──────────────────────────────────────────────────────────────┘

The only non vulnerable version at this time is https-proxy-agent@3.0.0 and up.

According to release docs the breaking change is only due to:

It is a breaking change because Node 4, 5, and 7 are no longer tested in CI (note that Node 6 is still supported).

More info in https-proxy-agent releases page https://github.com/TooTallNate/node-https-proxy-agent/releases

ivarprudnikov commented 4 years ago

This is a duplicate of #93 which has a pending pull request