http-proxy vulnerability

[panuhorsmalahti]

• webpack-dev-server Version: 3.11.0

• This is a bug
• This is a modification request

http-proxy, a dependency of webpack-dev-server has a vulnerability.

=== npm audit security report ===                        
                                                                                
                                                                                
                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             
                                                                                
          Visit https://go.npm.me/audit-guide for additional guidance           
                                                                                
                                                                                
  High            Denial of Service                                             
                                                                                
  Package         http-proxy                                                    
                                                                                
  Patched in      No patch available                                            
                                                                                
  Dependency of   webpack-dev-server [dev]                                      
                                                                                
  Path            webpack-dev-server > http-proxy-middleware > http-proxy       
                                                                                
  More info       https://npmjs.com/advisories/1486       

`-- webpack-dev-server@3.11.0
  `-- http-proxy-middleware@0.19.1
    `-- http-proxy@1.18.0

More info:
http-party/node-http-proxy#1446
https://www.npmjs.com/advisories/1486

[aitchiss]

Came here to report the same - it's causing failing builds with npm audit - hoping a quick fix is on its way

[alexander-akait]

Please open an issue in http-proxy-middleware or http-proxy, all version affected of http-proxy, we can't fix it on our side

[trevoreyre]

There is an open issue in http-proxy for this. http-party/node-http-proxy#1446

I think this issue should remain open, since webpack-dev-server will need to be patched with the fixed version of http-proxy once it's available.

[chimurai]

Hi, maintainer of http-proxy-middleware.

http-party/node-http-proxy#1447 just got published in http-proxy@1.18.1

Will patch http-proxy-middleware soon.

Any reason for WDS to support deprecated node >=6.11.5?
https://github.com/webpack/webpack-dev-server/blob/master/package.json#L14

http-proxy-middleware started dropping support for node 6 in 0.20.0

If possible, migrate to http-proxy-middleware@1.x.x ; Which supports node 8 and up.
Only breaking change is node support and explicit import of http-proxy-middleware.
More info: https://github.com/chimurai/http-proxy-middleware/releases/tag/v1.0.0

I know it's a constant struggle to support legacy, fix security issues versus moving on...

Let me know if the older version needs patching too (0.19.x)

edit: refreshing/updating lockfiles should already work

[vtereshyn]

Fixed inside #2616

[chimurai]

Just published http-proxy-middleware@0.19.2

Hopefully this'll ease the process to patch the current version of WDS without rushing to release WDS@4.0

[alexander-akait]

Great, so just update your lock files and all will be fine 👍

[koltyakov]

@evilebottnawi, Updating locks is possible but a fragile solution. If possible to bump WDS v3 with a version of http-proxy-middleware without vulnerability and still with Node v6 support, why not? That should not introduce a breaking change anymore, isn't it? Do you see any risks?

[pamit]

Hi everyone. Is there any update on this?

[mikemountjoy99]

What is the current status on a fix for this vulnerability?
I see http-proxy have merged a patch
https://github.com/http-party/node-http-proxy/pull/1447/files

[filmic]

You just need to force yarn to update http-proxy indirect dependency version in the lock file (to version 1.18.1).

Yarn does not upgrade indirect dependencies when yarn upgrade is executed (yarnpkg/yarn#4986).

As workaround run:
yarn remove webpack-dev-server
yarn add webpack-dev-server -D

[mikemountjoy99]

Editing package.json and adding an entry for http-proxy-middleware under resolutions forced the package to install

"resolutions": {
    "http-proxy-middleware": "^1.0.4"

I then ran yarn & yarn audit

yarn

Running an audit showed the high severity warning had gone away:

yarn audit 

Output:

1 vulnerabilities found - Packages audited: 3384
Severity: 1 Low
✨  Done in 3.08s.

[jasverix]

This means that webpack-dev-server runs fine on http-proxy-middleware 1.0.4? Is it possible to upgrade it? I can make a pull request of course, but I don't know this package well enough to be aware of eventual consequences of that upgrade.

[chrislujan]

I would also like to see this done as it is causing our engineers difficulties

[alexander-akait]

Fixed in v4 branch (release will be soon)