Http-proxy-middleware saw a minor version bump from 1.0.4 to 1.0.5, bringing subtle but potentially impactful changes for developers. Both versions maintain the core functionality as a lightweight solution for proxying requests in Connect, Express, and BrowserSync environments. Dependency updates are the primary differentiator.
In version 1.0.5, the lodash dependency was updated from "^4.17.15" to "^4.17.19". While seemingly small, this patch version update within lodash could include bug fixes or performance improvements relevant to developers relying on lodash functionality within http-proxy-middleware. Similarly, the Typescript version was updated from "^3.8.3" to "^3.9.2" and also several @types packages saw updates. This means improved type safety and potentially better compatibility with newer TypeScript features for those using TypeScript in their projects.
Additionally, several development dependencies were updated, like ws to version ^7.3.0 and @types/node to version ^14.0.3. Although these don't directly affect the runtime behavior of the middleware, they indicate that the development environment and testing frameworks are kept up-to-date, potentially leading to a more robust and reliable library. The unpacked size also increased marginally from 61170 to 61670, reflecting these changes. Developers should update to 1.0.5 to benefit from these dependency updates, ensuring they have the latest bug fixes and improvements.
All the vulnerabilities related to the version 1.0.5 of the package
Denial of service in http-proxy-middleware
Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.
