Http-proxy-agent is a Node.js package that provides an HTTP(s) proxy http.Agent implementation, enabling developers to route HTTP requests through a proxy server when using the standard http and https modules. This functionality is crucial for applications that need to access external resources from behind a firewall or require anonymity.
Comparing versions 0.2.0 and 0.2.1, the core functionality remains the same. Both versions share identical dependencies on "agent-base" (v1.0.1) and "extend" (v1.2.0), as well as the same development dependencies like "mocha" (v1.12.0) for testing and "proxy" (v0.2.0), that seems to be used to run the tests. This suggests that the changes between the versions are is a bug fix or a minor improvement rather than a major overhaul of the library's features.
The key difference lies in the release date, with version 0.2.1 being released on October 28, 2013, approximately a month after version 0.2.0 (September 17, 2013). Developers should note that the later version likely contains bug fixes or small enhancements that improve stability or performance. Since the package is still available today the changes made solved an important problem for the users that choose to keep using the package.
The package licensed under the MIT license, offering developers the freedom to use and modify the code, the package is available in npm, as the registry url shows, and the repository is available in github.
All the vulnerabilities related to the version 0.2.1 of the package
Resource Exhaustion Denial of Service in http-proxy-agent
A flaw was found in http-proxy-agent, prior to version 2.1.0. It was discovered http-proxy-agent passes an auth option to the Buffer constructor without proper sanitization. This could result in a Denial of Service through the usage of all available CPU resources and data exposure through an uninitialized memory leak in setups where an attacker could submit typed input to the auth parameter.
Denial of Service in http-proxy-agent
Versions of http-proxy-agent before 2.1.0 are vulnerable to denial of service and uninitialized memory leak when unsanitized options are passed to Buffer. An attacker may leverage these unsanitized options to consume system resources.
Update to version 2.1.0 or later.
Prototype Pollution in extend
Versions of extend prior to 3.0.2 (for 3.x) and 2.0.2 (for 2.x) are vulnerable to Prototype Pollution. The extend() function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects.
If you're using extend 3.x upgrade to 3.0.2 or later.
If you're using extend 2.x upgrade to 2.0.2 or later.
