build(deps): [security] bump https-proxy-agent from 2.2.2 to 2.2.4

[dependabot-preview[bot]]

Bumps https-proxy-agent from 2.2.2 to 2.2.4. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Node Security Working Group.

Man-in-the-Middle [https-proxy-agent] Socket returned without TLS upgrade on non-200 CONNECT response, allowing request data to be sent over unencrypted connection

Affected versions: <2.2.3

Sourced from The npm Advisory Database.

Man-in-the-Middle (MitM) Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). When targeting a HTTP proxy, https-proxy-agent opens a socket to the proxy, and sends the proxy server a CONNECT request. If the proxy server responds with something other than a HTTP response 200, https-proxy-agent incorrectly returns the socket without any TLS upgrade. This request data may contain basic auth credentials or other secrets, is sent over an unencrypted connection. A suitably positioned attacker could steal these secrets and impersonate the client.

Affected versions: < 2.2.3

Release notes

Sourced from https-proxy-agent's releases.

2.2.4

Patches

• Add .editorconfig file: a0d4a20458498fc31e5721471bd2b655e992d44b
• Add .eslintrc.js file: eecea74a1db1c943eaa4f667a561fd47c33da897
• Use a net.Socket instead of a plain EventEmitter for replaying proxy errors: #83
• Remove unused stream module: 9fdcd47bd813e9979ee57920c69e2ee2e0683cd4

Credits

Huge thanks to @lpinca for helping!

2.2.3

Patches

• Update README with actual secureProxy behavior: #65
• Update proxy to v1.0.0: d0e3c18079119057b05582cb72d4fda21dfc2546
• Remove unreachable code: 46aad0988b471f042856436cf3192b0e09e36fe6
• Test on Node.js 10 and 12: 3535951e482ea52af4888938f59649ed92e81b2b
• Fix compatibility with Node.js >= 10.0.0: #73
• Use an EventEmitter to replay failed proxy connect HTTP requests: #77

Credits

Huge thanks to @stoically, @lpinca, and @zkochan for helping!

Commits

• 4c4cce8 2.2.4
• 9fdcd47 Remove unused stream module
• 34ea884 Use a net.Socket instead of a plain EventEmitter for replaying proxy erro...
• 4296770 Prettier
• eecea74 Add .eslintrc.js file
• a0d4a20 Add .editorconfig file
• 0d8e8bf 2.2.3
• 850b835 Revert "Use Mocha 5 for Node 4 support"
• f5f56fa Remove Node 4 from Travis
• bb837b9 Revert "Remove Node 4 from Travis"
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)

[dependabot-preview[bot]]

Looks like https-proxy-agent is up-to-date now, so this is no longer needed.