Http-proxy-middleware, a popular Node.js package for creating HTTP proxies in Connect, Express, and Browser-Sync applications, has seen a recent update from version 1.0.0 to 1.0.1. While seemingly a minor patch, the changes reflect ongoing maintenance and improvements to the library. Both versions maintain the same core dependencies like lodash, is-glob, http-proxy, micromatch, and @types/http-proxy, ensuring continued compatibility with commonly used utility and proxying libraries.
However, the development environment shows the most notable differences. Version 1.0.1 upgrades several development dependencies, including ws, connect, typescript, @types/node, @types/express, @commitlint/cli, and @commitlint/config-conventional. These updates likely address bug fixes, performance enhancements or security vulnerabilities in those tools, while also promoting a modernized development workflow. For instance, upgrading to newer TypeScript versions and associated type definitions helps ensure type safety and improves code maintainability. The update to connect, a modular HTTP server framework, also provides latest features and security patches. For developers using http-proxy-middleware, version 1.0.1 offers a more stable and well-maintained environment, reducing the risk of encountering issues related to outdated tooling. The slight change in the number of files packed in the tarball also suggests small adjustments or fixes within the distribution.
All the vulnerabilities related to the version 1.0.1 of the package
Denial of service in http-proxy-middleware
Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.
