http-proxy vulnerability

[panuhorsmalahti]

• webpack-dev-server Version: 3.11.0

• This is a bug
• This is a modification request

http-proxy, a dependency of webpack-dev-server has a vulnerability.

=== npm audit security report ===                        
                                                                                
                                                                                
                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             
                                                                                
          Visit https://go.npm.me/audit-guide for additional guidance           
                                                                                
                                                                                
  High            Denial of Service                                             
                                                                                
  Package         http-proxy                                                    
                                                                                
  Patched in      No patch available                                            
                                                                                
  Dependency of   webpack-dev-server [dev]                                      
                                                                                
  Path            webpack-dev-server > http-proxy-middleware > http-proxy       
                                                                                
  More info       https://npmjs.com/advisories/1486       

`-- webpack-dev-server@3.11.0
  `-- http-proxy-middleware@0.19.1
    `-- http-proxy@1.18.0

More info:
http-party/node-http-proxy#1446
https://www.npmjs.com/advisories/1486

[aitchiss]

Came here to report the same - it's causing failing builds with npm audit - hoping a quick fix is on its way

[alexander-akait]

Please open an issue in http-proxy-middleware or http-proxy, all version affected of http-proxy, we can't fix it on our side

[trevoreyre]

There is an open issue in http-proxy for this. http-party/node-http-proxy#1446

I think this issue should remain open, since webpack-dev-server will need to be patched with the fixed version of http-proxy once it's available.

[sailfish009]

i am newbie here, excuse my ignorance.
i can use bottle.py(with bjoern) as backend server, why do i need dev-server and proxy?
want to disable completely. sure there will be reason for this.

[chimurai]

Hi, maintainer of http-proxy-middleware.

http-party/node-http-proxy#1447 just got published in http-proxy@1.18.1

Will patch http-proxy-middleware soon.

Any reason for WDS to support deprecated node >=6.11.5?
https://github.com/webpack/webpack-dev-server/blob/master/package.json#L14

http-proxy-middleware started dropping support for node 6 in 0.20.0

If possible, migrate to http-proxy-middleware@1.x.x ; Which supports node 8 and up.
Only breaking change is node support and explicit import of http-proxy-middleware.
More info: https://github.com/chimurai/http-proxy-middleware/releases/tag/v1.0.0

I know it's a constant struggle to support legacy, fix security issues versus moving on...

Let me know if the older version needs patching too (0.19.x)

edit: refreshing/updating lockfiles should already work

[vtereshyn]

Fixed inside #2616

[chimurai]

Just published http-proxy-middleware@0.19.2

Hopefully this'll ease the process to patch the current version of WDS without rushing to release WDS@4.0

[alexander-akait]

Great, so just update your lock files and all will be fine 👍

[koltyakov]

@evilebottnawi, Updating locks is possible but a fragile solution. If possible to bump WDS v3 with a version of http-proxy-middleware without vulnerability and still with Node v6 support, why not? That should not introduce a breaking change anymore, isn't it? Do you see any risks?