-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: Upgrade proxy agent #163
chore: Upgrade proxy agent #163
Conversation
There was a merge conflict marker committed to the `package-lock.json` in cc0de4b, which coincidentally upgraded the project to use `lockfileVersion` of `2`.
In the transitive dependency [`pac-resolver` there is a known vulnerability][0]. By upgrading `proxy-agent` to latest, we're also upgrading `pac-proxy-agent` and `pac-resolver`. From reading the changelogs of `proxy-agent`, `pac-proxy-agent` and `pac-resolver`, it is clear that TooTallNate has been careful not to introduce any breaking changes, other than dropping support for old node versions. * [`proxy-agent@5.0.0`][1] * [`pac-proxy-agent@5.0.0`][2] * [`pac-resolver@5.0.0`][3] By merging this, the minimum supported node version dictated by these dependencies will be 8. [0]: GHSA-9j49-mfvp-vmhm [1]: https://github.com/TooTallNate/node-proxy-agent/releases/tag/5.0.0 [2]: https://github.com/TooTallNate/node-pac-proxy-agent/releases/tag/5.0.0 [3]: https://github.com/TooTallNate/node-pac-resolver/releases/tag/5.0.0
+1 |
3 similar comments
+1 |
+1 |
+1 |
Ping @lazywithclass |
For those who are here because of this security issue. Here is a quick fix: add this to your package.json
and this to your scripts section:
|
Thanks for this. I will update the module this afternoon, expect a minor version change since this might break some people's setup. Again sorry for being late, I am swamped by uni courses. |
winston-cloudwathc@3.1.0 is out with these changes. Thanks a lot for your effort. |
@lazywithclass thanks! |
This PR is branched from #162, which should be merged first.
This PR upgrades transitive dependencies, allowing consumers to avoid a known vulnerability.
Background
In the transitive dependency
pac-resolver
there is a known vulnerability.Solution
By upgrading
proxy-agent
to latest, we're also upgradingpac-proxy-agent
andpac-resolver
.From reading the changelogs of
proxy-agent
,pac-proxy-agent
andpac-resolver
, it is clear that TooTallNate has been careful not to introduce any breaking changes, other than dropping support for very old node versions.proxy-agent@5.0.0
pac-proxy-agent@5.0.0
pac-resolver@5.0.0
Important
By merging this, the minimum supported node version dictated by these dependencies will be
8
.