About avoiding the issue of "http-proxy" vulnerability warning from "npm audit"

[r2d2doomchit]

From May 14, 2020,

NPM raised the "http-proxy" package's security vulnerability warning to HighLevel.

https:/www.npmjs.com/advisories/1486

As a result, the "http-proxy" package was blocked warned by npm-audit.

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ http-proxy                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts > webpack-dev-server > http-proxy-middleware > │
│               │ http-proxy                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1486                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

npm audit fails on http-proxy #9017

I know that this package is used in the CRA's "react-scripts" package.
Thus, node-package-management attempts are blocked at root of all CRA-based projects

found 2 bannerabilities (1 low, 1 high)
Run 'npm audit fix' to fix them, or 'npm audit' for details

https://github.com/http-party/node-http-proxy/tags

webpack/webpack-dev-server#2605

I can't analyze security issues in detail. but according to two references - (a)where "http-proxy" is referenced in the CRA and (b)"npm audit log"

react-scripts > webpack-dev-server > http-proxy-middleware > http-proxy

I thought only "webpack-dev-server" was directly affected by this issue.

Based on these,

1. "npm build" is not affected. Is this right?
2. When opening the dev server through "npm start." If this is localhost or private network.. It seems irrelevant to this security issue. Is this right?

I was just wondering before using the npm-install "-- no-audit" option.

npm install [package-name] --no-audit

Please give me any comment on this.

[erwanriou]

I think you are right but anyhow, by principle, i would not go for a --no-audit. We created this tool for ensuring nodejs keep secure. If we start using --no-audit for our deploy to overpass CI then we already are going on the darkside.

I think we should all focus working in a fix and release it before doing an other deploy. We are enough developers here to handle this in a short period of time. In fact we already have pull request pending for a fix in http-party/node-http-proxy#1447

[r2d2doomchit]

Of course, I don't ignore the "npm-audit" policy.
I just wanted to make sure that the security issue is not affected if it is not a development server(webpack-dev-server). because NPM warns this is a HIGH-level vulnerability.
And I had to continue package management of CRA-based projects with this warning.

Anyway, thank you for your comments and advice, and I'm always grateful to you and all node package contributors.

[stale]

This issue has been automatically marked as stale because it has not had any recent activity. It will be closed in 5 days if no further activity occurs.

[stale]

This issue has been automatically closed because it has not had any recent activity. If you have a question or comment, please open a new issue.