Security vulnerability caused by https-proxy-agent

[mastermatt]

Last week a MitM vulnerability was publicly disclosed for one of the prod dependencies https-proxy-agent.
https://hackerone.com/reports/541502

There is no published fix at this time, although there is a PR open. TooTallNate/proxy-agents#76.

Short of removing the dep, there isn't much this lib is able to do. However, I'm opening this issue as a notice.
The vulnerability is registered with Snyk as a medium threat and my builds are now failing because we use the NR agent.

[astormnewrelic]

@mastermatt Thanks for the heads up -- we dropped into the PR thread to see if we can get Nate to let everyone know if he plans on fixing this or not: TooTallNate/proxy-agents#76

In the meanwhile -- if you're not using the proxy features of the New Relic agent (which require explicit configuration) you should be unaffected by particular vulnerability (other than, of course, your build system and Snyk). I'd also encourage you to chime into the PR thread -- sometimes it takes a few folks being affected to get the attention of an open source maintainer.

We intend to monitor the situation and, depending on Nate's response, take appropriate action. If there's anything else we can do in the meanwhile please let us know.

[kadler15]

@astormnewrelic Version 3.0.0 is out with a fix! TooTallNate/node-https-proxy-agent#77

[astormnewrelic]

@kadler15 We know! The system works! We're still stuck with a "release internally, push to public GitHub workflow", but the new http-proxy-agent is coming ASAP. Once we have the release out we'll update this ticket with the details.

[astormnewrelic]

@kadler15 @mastermatt Agent version 5.13.1 has hit the wires, and includes the latest http-proxy-agent, so we should be all good here. We're going to close this issue out, but don't hesitate to reopen/comment if there's more to say or do, and thanks again for bringing this to our attention!