node-http-proxy icon indicating copy to clipboard operation
node-http-proxy copied to clipboard

Published 20 hours ago verified publisher icon http-party

Update dependency "follow-redirects" to mitigate CVE-2022-0536

Open PersonMeetup opened this issue 3 years ago • 7 comments

Report at GHSA-pw2r-vq6v-hr8c

Recommend #1564 updates to 1.14.8 rather than 1.14.7

PersonMeetup avatar Feb 13 '22 03:02 PersonMeetup

Need this too

fabiohaertel avatar Mar 07 '22 13:03 fabiohaertel

Please update "follow-redirects" to >= 1.14.8 Refer this https://github.com/advisories/GHSA-pw2r-vq6v-hr8c

ghost avatar Mar 10 '22 11:03 ghost

Need this too

Skrigueztep avatar May 31 '22 17:05 Skrigueztep

Any updates on release?

anand-gopinath avatar Jan 09 '24 17:01 anand-gopinath

Any updates on release?

Judging by it being nearly 2 years since I made this issue, I'm in agreeance with #1653 that this repo is unmaintained. Best option is to migrate away from this package if possible. I'll keep this issue open, even if all it serves as is a warning that this won't be solved anytime soon.

PersonMeetup avatar Jan 09 '24 18:01 PersonMeetup

I sort of solved it by forcing npm to use the latest version through:

{ "overrides": { "follow-redirects": ">=1.15.4" } }

No side effects for me

fabiohaertel avatar Jan 11 '24 01:01 fabiohaertel

{ "overrides": { "follow-redirects": ">=1.15.4" } }

@fabiohaertel Where are you adding the override? I was planning on adding it to my project's package.json like so:

"overrides": {
    "http-proxy": {
        "follow-redirects": ">=1.15.4"
    }
}

If I'm not mistaken, the way you have it written will bump the version of follow-redirects everywhere in your project, and not just within the http-proxy package. That may be fine, but just to limit the scope of change, I provided another solution above

ryanomor avatar Jan 19 '24 16:01 ryanomor