qcif / data-curator

Data Curator - share usable open data
MIT License
265 stars 38 forks source link

[Security] Bump https-proxy-agent from 2.2.1 to 2.2.4 #965

Closed dependabot-preview[bot] closed 4 years ago

dependabot-preview[bot] commented 4 years ago

Bumps https-proxy-agent from 2.2.1 to 2.2.4. This update includes security fixes.

Vulnerabilities fixed *Sourced from [The Node Security Working Group](https://github.com/nodejs/security-wg/blob/master/vuln/npm/505.json).* > **Man-in-the-Middle** > [https-proxy-agent] Socket returned without TLS upgrade on non-200 CONNECT response, allowing request data to be sent over unencrypted connection > > Affected versions: <2.2.3 *Sourced from [The npm Advisory Database](https://cwe.mitre.org/data/definitions/300.html).* > **Man-in-the-Middle (MitM)** > Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). When targeting a HTTP proxy, https-proxy-agent opens a socket to the proxy, and sends the proxy server a CONNECT request. If the proxy server responds with something other than a HTTP response 200, https-proxy-agent incorrectly returns the socket without any TLS upgrade. This request data may contain basic auth credentials or other secrets, is sent over an unencrypted connection. A suitably positioned attacker could steal these secrets and impersonate the client. > > Affected versions: < 2.2.3
Release notes *Sourced from [https-proxy-agent's releases](https://github.com/TooTallNate/node-https-proxy-agent/releases).* > ## 2.2.4 > ### Patches > > - Add `.editorconfig` file: a0d4a20458498fc31e5721471bd2b655e992d44b > - Add `.eslintrc.js` file: eecea74a1db1c943eaa4f667a561fd47c33da897 > - Use a `net.Socket` instead of a plain `EventEmitter` for replaying proxy errors: [#83](https://github-redirect.dependabot.com/TooTallNate/node-https-proxy-agent/issues/83) > - Remove unused `stream` module: 9fdcd47bd813e9979ee57920c69e2ee2e0683cd4 > > ### Credits > > Huge thanks to [@​lpinca](https://github.com/lpinca) for helping! > > ## 2.2.3 > ### Patches > > - Update README with actual `secureProxy` behavior: [#65](https://github-redirect.dependabot.com/TooTallNate/node-https-proxy-agent/issues/65) > - Update `proxy` to v1.0.0: d0e3c18079119057b05582cb72d4fda21dfc2546 > - Remove unreachable code: 46aad0988b471f042856436cf3192b0e09e36fe6 > - Test on Node.js 10 and 12: 3535951e482ea52af4888938f59649ed92e81b2b > - Fix compatibility with Node.js >= 10.0.0: [#73](https://github-redirect.dependabot.com/TooTallNate/node-https-proxy-agent/issues/73) > - Use an `EventEmitter` to replay failed proxy connect HTTP requests: [#77](https://github-redirect.dependabot.com/TooTallNate/node-https-proxy-agent/issues/77) > > ### Credits > > Huge thanks to [@​stoically](https://github.com/stoically), [@​lpinca](https://github.com/lpinca), and [@​zkochan](https://github.com/zkochan) for helping! > > ## 2.2.2 > ### Patches > > - Remove `package-lock.json`: c881009b9873707f5c4a0e9c277dde588e1139c7 > - Ignore test directory, History.md and .travis.yml when creating npm package. Fixes [#42](https://github-redirect.dependabot.com/TooTallNate/node-https-proxy-agent/issues/42): [#45](https://github-redirect.dependabot.com/TooTallNate/node-https-proxy-agent/issues/45) > - Update `agent-base` to v4.2: [#50](https://github-redirect.dependabot.com/TooTallNate/node-https-proxy-agent/issues/50) > - Add TypeScript type definitions: [#66](https://github-redirect.dependabot.com/TooTallNate/node-https-proxy-agent/issues/66) > - Feat(typescript): Allow input to be options or string: [#68](https://github-redirect.dependabot.com/TooTallNate/node-https-proxy-agent/issues/68) > - Update `agent-base` to v4.3: [#69](https://github-redirect.dependabot.com/TooTallNate/node-https-proxy-agent/issues/69) > > ### Credits > > Huge thanks to [@​marco-c](https://github.com/marco-c), [@​tareqhs](https://github.com/tareqhs), [@​ianhowe76](https://github.com/ianhowe76), and [@​BYK](https://github.com/BYK) for helping!
Commits - [`4c4cce8`](https://github.com/TooTallNate/node-https-proxy-agent/commit/4c4cce8cb60fd3ac6171e4428f972698eb49f45a) 2.2.4 - [`9fdcd47`](https://github.com/TooTallNate/node-https-proxy-agent/commit/9fdcd47bd813e9979ee57920c69e2ee2e0683cd4) Remove unused `stream` module - [`34ea884`](https://github.com/TooTallNate/node-https-proxy-agent/commit/34ea8841922fb6447563b0521f972ac3a6062303) Use a `net.Socket` instead of a plain `EventEmitter` for replaying proxy erro... - [`4296770`](https://github.com/TooTallNate/node-https-proxy-agent/commit/4296770b6a0e631e3f8e7bd6cfd41ac8e91a3ec4) Prettier - [`eecea74`](https://github.com/TooTallNate/node-https-proxy-agent/commit/eecea74a1db1c943eaa4f667a561fd47c33da897) Add `.eslintrc.js` file - [`a0d4a20`](https://github.com/TooTallNate/node-https-proxy-agent/commit/a0d4a20458498fc31e5721471bd2b655e992d44b) Add `.editorconfig` file - [`0d8e8bf`](https://github.com/TooTallNate/node-https-proxy-agent/commit/0d8e8bfe8b12e6ffe79a39eb93068cdf64c17e78) 2.2.3 - [`850b835`](https://github.com/TooTallNate/node-https-proxy-agent/commit/850b8359b7d0467d721705106b58f4c7cfb937dd) Revert "Use Mocha 5 for Node 4 support" - [`f5f56fa`](https://github.com/TooTallNate/node-https-proxy-agent/commit/f5f56fa48ea4d2a61c385938e7753f5c1fe049d6) Remove Node 4 from Travis - [`bb837b9`](https://github.com/TooTallNate/node-https-proxy-agent/commit/bb837b984bd868ad69080812eb8eab01181b21d7) Revert "Remove Node 4 from Travis" - Additional commits viewable in [compare view](https://github.com/TooTallNate/node-https-proxy-agent/compare/2.2.1...2.2.4)


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)
dependabot-preview[bot] commented 4 years ago

Looks like https-proxy-agent is up-to-date now, so this is no longer needed.