New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security vulnerability caused by https-proxy-agent #304
Comments
@mastermatt Thanks for the heads up -- we dropped into the PR thread to see if we can get Nate to let everyone know if he plans on fixing this or not: TooTallNate/proxy-agents#76 In the meanwhile -- if you're not using the proxy features of the New Relic agent (which require explicit configuration) you should be unaffected by particular vulnerability (other than, of course, your build system and Snyk). I'd also encourage you to chime into the PR thread -- sometimes it takes a few folks being affected to get the attention of an open source maintainer. We intend to monitor the situation and, depending on Nate's response, take appropriate action. If there's anything else we can do in the meanwhile please let us know. |
@astormnewrelic Version 3.0.0 is out with a fix! TooTallNate/node-https-proxy-agent#77 |
@kadler15 We know! The system works! We're still stuck with a "release internally, push to public GitHub workflow", but the new |
@kadler15 @mastermatt Agent version 5.13.1 has hit the wires, and includes the latest |
Last week a MitM vulnerability was publicly disclosed for one of the prod dependencies
https-proxy-agent
.https://hackerone.com/reports/541502
There is no published fix at this time, although there is a PR open. TooTallNate/proxy-agents#76.
Short of removing the dep, there isn't much this lib is able to do. However, I'm opening this issue as a notice.
The vulnerability is registered with Snyk as a medium threat and my builds are now failing because we use the NR agent.
The text was updated successfully, but these errors were encountered: