Carlos-Muniz
commented
2 years ago I'll look into this!
Closed dianekaplan closed 2 years ago
Carlos-Muniz
commented
2 years ago I'll look into this!
Carlos-Muniz
commented
2 years ago Looks like there is some progress on this issue: https://github.com/http-party/node-http-proxy/pull/1564
It says here if we reinstall http-proxy, we should get the fixed follow-redirects.
Carlos-Muniz
commented
2 years ago I looked for follow-redirects within openedx/frontend-build, but only found a mention of it in package-lock.json.
The output of ripgrep is:
❯ rg follow-redirects
package-lock.json
8129: "node_modules/follow-redirects": {
8131: "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.9.tgz",
9127: "follow-redirects": "^1.0.0",
25322: "follow-redirects": {
25324: "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.9.tgz",
26031: "follow-redirects": "^1.0.0",The affected versions (< 1.14.7) are no longer installed. As the folks in http-proxy mentioned, just reinstalling http-proxy should solve it, as is clearly demonstrated by the committed package-lock.
There was a high security vulnerability in the follow-redirects package (see here), fixed in follow-redirects version 1.14.7.
The dependency path from frontend-build to follow-redirects is: @edx/frontend-build > webpack-dev-server > http-proxy-middleware > http-proxy > follow-redirects
Unfortunately http-proxy's last version is from 2 years ago (1.18.1), so it won't have this fix.
Until we can resolve this vulnerability, commiting/merging is blocked in frontend-app-payment, and anyone else who with a check to make sure npm audit succeeds). What's the path forward? If one of those intermediate packages found a workaround we could be all set- at first glance, I don't see related github issues in their repos, but I could be missing it.