luisnaranjo733
commented
4 years ago On closer inspection, I found that this vulnerability has already been fixed downstream. Coincidentally, the downstream dependency graph has loose enough version targeting that "code-push" and "react-native-code-push" both benefit from the fix for free, without needing a code change.
That being said, consumers of react-native-code-push and code-push that installed those packages before the fix and use lock files are still impacted until they refresh their dependency graph.
In order to upgrade from the vulnerable https-proxy-agent@2 to the patched https-proxy-agent@3, all I needed to do was the following
npm uninstall react-native-code-push
npm install react-native-code-pushThis refreshed my package-lock to a healthy state. Yarn users can also reinstall to fix their yarn.lock file.
All current versions of the "code-push" npm package have a transitive dependency on https-proxy-agent@2 which has a security vulnerability (see HackerOne report and npmjs.com security report for reference). The comments in the HackerOne report include helpful interactions with the author and are worth a quick read.
These are the paths of the dependency graph for "code-push" that include this vulnerability
Path 1
code-push -> superagent-proxy -> proxy-agent ->pac-proxy-agent -> https-proxy-agent@2
Path 2
code-push -> superagent-proxy -> proxy-agent -> https-proxy-agent@2
The "code-push" package should publish an update that uses a version of superagent-proxy that has a fix (https-proxy-agent@2 -> https-proxy-agent@3). This will unblock other upstream dependencies like "react-native-code-push" so that they can publish their own fixes.
Good news
Bad news