The https-proxy-agent package, a crucial tool for Node.js developers needing to route HTTPS requests through HTTP(S) proxies, saw a minor yet significant update from version 0.3.4 to 0.3.5. Both versions provide an http.Agent implementation designed specifically for handling HTTPS traffic via proxies, a common requirement in corporate environments or when working with services behind firewalls. Key features remain consistent: reliance on dependencies like extend and agent-base for core functionality, and the MIT license ensuring open-source flexibility.
However, the most notable change lies in the updated debug dependency. Version 0.3.4 depended on debug version ~0.8.0, while version 0.3.5 moves to debug version ~1.0.0. This update likely incorporates bug fixes, performance improvements, and potentially new debugging features offered by the newer debug release. For developers actively using the debug package for tracing and troubleshooting their applications, this upgrade within https-proxy-agent could offer enhanced insights into proxy connection behavior. Both versions share the same development dependencies, including mocha for testing, proxy for simulating proxy servers, and semver for version management, suggesting a focus on maintaining existing test coverage and compatibility. The updated release date of June 11, 2014, for v0.3.5, compared to April 9, 2014, for v0.3.4, confirms the more recent nature of the update. When selecting a version, developers should consider their debugging needs and compatibility with their existing debug package version.
All the vulnerabilities related to the version 0.3.5 of the package
Denial of Service in https-proxy-agent
Versions of https-proxy-agent before 2.2.0 are vulnerable to denial of service. This is due to unsanitized options (proxy.auth) being passed to Buffer().
Update to version 2.2.0 or later.
Machine-In-The-Middle in https-proxy-agent
Versions of https-proxy-agent prior to 2.2.3 are vulnerable to Machine-In-The-Middle. The package fails to enforce TLS on the socket if the proxy server responds the to the request with a HTTP status different than 200. This allows an attacker with access to the proxy server to intercept unencrypted communications, which may include sensitive information such as credentials.
Upgrade to version 3.0.0 or 2.2.3.
debug Inefficient Regular Expression Complexity vulnerability
A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The name of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability. The patch has been backported to the 2.6.x branch in version 2.6.9.
Regular Expression Denial of Service in debug
Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.
As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.
This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.
Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.
Prototype Pollution in extend
Versions of extend prior to 3.0.2 (for 3.x) and 2.0.2 (for 2.x) are vulnerable to Prototype Pollution. The extend() function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects.
If you're using extend 3.x upgrade to 3.0.2 or later.
If you're using extend 2.x upgrade to 2.0.2 or later.
