Skip to content

fix: update follow-redirects to 1.14.7 #1564

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

fix: update follow-redirects to 1.14.7 #1564

wants to merge 1 commit into from

Conversation

Trott
Copy link

@Trott Trott commented Jan 14, 2022

Fixes: #1563

@Trott Trott mentioned this pull request Jan 14, 2022
Open
@nexa-li nexa-li mentioned this pull request Jan 14, 2022
Closed
@james-portelli-cko
Copy link

james-portelli-cko commented Jan 17, 2022
edited
Loading

Hey @indexzero by any chance would you be able (or perhaps know of someone with permissions) to merge and release this to resolve the security concerns? :)

@Trott
Copy link
Author

Trott commented Jan 17, 2022
edited
Loading

Hey @indexzero by any chance would you be able (or perhaps know of someone with permissions) to merge and release this to resolve the security concerns? :)

Maybe @jcrugzz?

@james-portelli-cko As you may know (but if so, then for readers following along), this isn't necessary to fix the vulnerability warnings. If you reinstall http-proxy, you should get the fixed follow-redirects. It would still be good (in my opinion) to merge this and publish a new release for a few reasons, but consumers can solve the problem now without it.

@MZOG
Copy link

MZOG commented Jan 27, 2022

@Trott I've deleted node_modules, removed package-lock, then reinstall http-proxy and I'm still getting old follow-redirects : /

"http-proxy": {
    "version": "1.18.1",
    "resolved": "https://registry.npmjs.org/http-proxy/-/http-proxy-1.18.1.tgz",
    "integrity": "sha512-7mz/721AbnJwIVbnaSv1Cz3Am0ZLT/UBwkC92VlxhXv/k/BBQfM2fXElQNC27BVGr0uwUpplYPQM9LnaBMR5NQ==",
    "dev": true,
    "requires": {
        "eventemitter3": "^4.0.0",
        "follow-redirects": "^1.0.0",
        "requires-port": "^1.0.0"
    }
},

@Trott
Copy link
Author

Trott commented Jan 27, 2022

@Trott I've deleted node_modules, removed package-lock, then reinstall http-proxy and I'm still getting old follow-redirects : /

"http-proxy": {
    "version": "1.18.1",
    "resolved": "https://registry.npmjs.org/http-proxy/-/http-proxy-1.18.1.tgz",
    "integrity": "sha512-7mz/721AbnJwIVbnaSv1Cz3Am0ZLT/UBwkC92VlxhXv/k/BBQfM2fXElQNC27BVGr0uwUpplYPQM9LnaBMR5NQ==",
    "dev": true,
    "requires": {
        "eventemitter3": "^4.0.0",
        "follow-redirects": "^1.0.0",
        "requires-port": "^1.0.0"
    }
},

The snippet you are showing does not necessarily mean that a vulnerable version of follow-redirects is installed. Use npm ls follow-redirects to check the installed version. If it is vulnerable, check if you have an npm-shrinkwrap.json file and/or a yarn.lock file and be sure to remove them as well when re-installing.

@detobel36 detobel36 mentioned this pull request Jan 29, 2022
Closed
@PersonMeetup PersonMeetup mentioned this pull request Feb 13, 2022
Open
@m4thieulavoie m4thieulavoie mentioned this pull request Feb 13, 2022
Closed
@Carlos-Muniz Carlos-Muniz mentioned this pull request Mar 2, 2022
Closed
@Trott
Copy link
Author

Trott commented Apr 6, 2022

I suppose this repo is inactive.

@Trott Trott closed this Apr 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@drjauss drjauss drjauss approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update dependency "follow-redirects" to mitigate CVE-2022-0155
4 participants
@Trott @james-portelli-cko @MZOG @drjauss