[Security] Bump https-proxy-agent from 2.2.1 to 2.2.4

[dependabot-preview]

Bumps https-proxy-agent from 2.2.1 to 2.2.4. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Node Security Working Group.

Man-in-the-Middle
[https-proxy-agent] Socket returned without TLS upgrade on non-200 CONNECT response, allowing request data to be sent over unencrypted connection

Affected versions: <2.2.3

Sourced from The npm Advisory Database.

Man-in-the-Middle (MitM)
Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). When targeting a HTTP proxy, https-proxy-agent opens a socket to the proxy, and sends the proxy server a CONNECT request. If the proxy server responds with something other than a HTTP response 200, https-proxy-agent incorrectly returns the socket without any TLS upgrade. This request data may contain basic auth credentials or other secrets, is sent over an unencrypted connection. A suitably positioned attacker could steal these secrets and impersonate the client.

Affected versions: < 2.2.3

Release notes

Sourced from https-proxy-agent's releases.

2.2.4

Patches

• Add .editorconfig file: a0d4a20458498fc31e5721471bd2b655e992d44b
• Add .eslintrc.js file: eecea74a1db1c943eaa4f667a561fd47c33da897
• Use a net.Socket instead of a plain EventEmitter for replaying proxy errors: #83
• Remove unused stream module: 9fdcd47bd813e9979ee57920c69e2ee2e0683cd4

Credits

Huge thanks to @​lpinca for helping!

2.2.3

Patches

• Update README with actual secureProxy behavior: #65
• Update proxy to v1.0.0: d0e3c18079119057b05582cb72d4fda21dfc2546
• Remove unreachable code: 46aad0988b471f042856436cf3192b0e09e36fe6
• Test on Node.js 10 and 12: 3535951e482ea52af4888938f59649ed92e81b2b
• Fix compatibility with Node.js >= 10.0.0: #73
• Use an EventEmitter to replay failed proxy connect HTTP requests: #77

Credits

Huge thanks to @​stoically, @​lpinca, and @​zkochan for helping!

2.2.2

Patches

• Remove package-lock.json: c881009b9873707f5c4a0e9c277dde588e1139c7
• Ignore test directory, History.md and .travis.yml when creating npm package. Fixes #42: #45
• Update agent-base to v4.2: #50
• Add TypeScript type definitions: #66
• Feat(typescript): Allow input to be options or string: #68
• Update agent-base to v4.3: #69

Credits

Huge thanks to @​marco-c, @​tareqhs, @​ianhowe76, and @​BYK for helping!

Commits

• 4c4cce8 2.2.4
• 9fdcd47 Remove unused stream module
• 34ea884 Use a net.Socket instead of a plain EventEmitter for replaying proxy erro...
• 4296770 Prettier
• eecea74 Add .eslintrc.js file
• a0d4a20 Add .editorconfig file
• 0d8e8bf 2.2.3
• 850b835 Revert "Use Mocha 5 for Node 4 support"
• f5f56fa Remove Node 4 from Travis
• bb837b9 Revert "Remove Node 4 from Travis"
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

If all status checks pass Dependabot will automatically merge this pull request.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

---

⚠️ Dependabot won't automerge this PR as it didn't detect CI on it ⚠️

You have automerging enabled for this repo but Dependabot didn't detect any CI statuses or checks. You can disable automerging on this repo from here.