The https-proxy-agent package provides a crucial service for Node.js developers needing to route HTTPS requests through HTTP or HTTPS proxy servers. Version 0.3.0 represents a notable evolution from version 0.2.0, introducing several key enhancements that impact usability and functionality. A significant difference lies in the expanded dependency list. Version 0.3.0 incorporates the debug, extend, and a newer version of agent-base as dependencies compared to version 0.2.0. This suggests improved debugging capabilities, potentially allowing developers to gain deeper insights into the library's operation during proxy negotiation and request handling. The extend dependency likely facilitates more flexible configuration options or enhances the library's ability to merge proxy settings with request options. Furthermore, the jump in agent-base version suggests more robust and feature-rich agent base, potentially improving connection management and proxy interaction. Version 0.3.0 also adds proxy and semver as devDependencies showing improvements in testing and development cycles of the package. For developers considering which version to use, these added dependencies in version 0.3.0 point towards a more mature and feature-rich library, offering better diagnostics, configuration flexibility, and potentially more efficient proxy handling. The update signifies a commitment to improved developer experience and robustness. Developers should evaluate their specific needs and consider if the benefits of enhanced debugging and configuration outweigh any potential compatibility concerns with existing projects.
All the vulnerabilities related to the version 0.3.0 of the package
Denial of Service in https-proxy-agent
Versions of https-proxy-agent before 2.2.0 are vulnerable to denial of service. This is due to unsanitized options (proxy.auth) being passed to Buffer().
Update to version 2.2.0 or later.
Machine-In-The-Middle in https-proxy-agent
Versions of https-proxy-agent prior to 2.2.3 are vulnerable to Machine-In-The-Middle. The package fails to enforce TLS on the socket if the proxy server responds the to the request with a HTTP status different than 200. This allows an attacker with access to the proxy server to intercept unencrypted communications, which may include sensitive information such as credentials.
Upgrade to version 3.0.0 or 2.2.3.
debug Inefficient Regular Expression Complexity vulnerability
A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The name of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability. The patch has been backported to the 2.6.x branch in version 2.6.9.
Regular Expression Denial of Service in debug
Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.
As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.
This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.
Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.
Prototype Pollution in extend
Versions of extend prior to 3.0.2 (for 3.x) and 2.0.2 (for 2.x) are vulnerable to Prototype Pollution. The extend() function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects.
If you're using extend 3.x upgrade to 3.0.2 or later.
If you're using extend 2.x upgrade to 2.0.2 or later.
