The https-proxy-agent library, designed for Node.js developers, facilitates making HTTPS requests through HTTP or HTTPS proxies. Versions 0.3.1 and 0.3.2 share a similar core functionality, both offering an http.Agent implementation tailored for secure proxy communication. They both define the same dependencies such as debug, extend, and agent-base, and development dependencies including mocha, proxy, and semver, suggesting a stable development environment and a commitment to testing.
The primary distinction between these versions lies in their release dates. Version 0.3.2 was published on November 18, 2013, a couple days after version 0.3.1, which was released on November 16, 2013. Considering such little time between releases, the changes are likely to be focused on bug fixes or very minor improvements. For developers, upgrading from 0.3.1 to 0.3.2 is recommended, as it likely addresses any immediate issues detected shortly after the initial 0.3.1 release. While the core functionalities remain consistent, staying on the latest patch version ensures a more stable and reliable experience when routing HTTPS traffic through proxies. Both versions are licensed under the MIT license, providing developers with the freedom to use, modify, and distribute the library as needed.
All the vulnerabilities related to the version 0.3.2 of the package
Denial of Service in https-proxy-agent
Versions of https-proxy-agent before 2.2.0 are vulnerable to denial of service. This is due to unsanitized options (proxy.auth) being passed to Buffer().
Update to version 2.2.0 or later.
Machine-In-The-Middle in https-proxy-agent
Versions of https-proxy-agent prior to 2.2.3 are vulnerable to Machine-In-The-Middle. The package fails to enforce TLS on the socket if the proxy server responds the to the request with a HTTP status different than 200. This allows an attacker with access to the proxy server to intercept unencrypted communications, which may include sensitive information such as credentials.
Upgrade to version 3.0.0 or 2.2.3.
debug Inefficient Regular Expression Complexity vulnerability
A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The name of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability. The patch has been backported to the 2.6.x branch in version 2.6.9.
Regular Expression Denial of Service in debug
Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.
As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.
This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.
Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.
Prototype Pollution in extend
Versions of extend prior to 3.0.2 (for 3.x) and 2.0.2 (for 2.x) are vulnerable to Prototype Pollution. The extend() function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects.
If you're using extend 3.x upgrade to 3.0.2 or later.
If you're using extend 2.x upgrade to 2.0.2 or later.
