Proxy-agent version 2.3.1 represents a minor update over the previous stable release, version 2.3.0, offering subtle refinements and a potential fix. Both versions serve the crucial role of dynamically mapping proxy protocols to the appropriate http.Agent implementations within Node.js environments. This simplifies the process of routing HTTP/HTTPS requests through various proxy types, including HTTP, HTTPS, PAC, and SOCKS proxies. Developers relying on complex network configurations and proxy servers will find this library invaluable for managing outbound connections.
The key difference lies in the socks-proxy-agent dependency. Version 2.3.0 relies on socks-proxy-agent version 4.0.0, whereas version 2.3.1 downgrades this dependency to version 3.0.0. This suggests a potential compatibility issue or bug fix related to the newer socks-proxy-agent version. Developers utilizing SOCKS proxies should carefully evaluate whether this change impacts their specific use case. Inspecting the changelogs for both proxy-agent and socks-proxy-agent around this period is highly recommended to understand the rationale behind this dependency adjustment.
The core functionality and other dependencies remain consistent between the two versions. Both leverage essential packages like debug for logging insights, lru-cache for efficient caching, and proxy-from-env for automatically detecting proxy settings from environment variables. The consistent use of agent-base, pac-proxy-agent, http-proxy-agent, and https-proxy-agent ensures reliable support for a wide range of proxy configurations. For developers needing robust and adaptable proxy handling in their Node.js applications, proxy-agent continues to be a strong choice, with version 2.3.1 offering a tweaked SOCKS proxy implementation.
All the vulnerabilities related to the version 2.3.1 of the package
Code Injection in pac-resolver
This affects the package pac-resolver before 5.0.0. This can occur when used with untrusted input, due to unsafe PAC file handling. NOTE: The fix for this vulnerability is applied in the node-degenerator library, a dependency written by the same maintainer.
Code Injection in pac-resolver
This affects the package pac-resolver before 5.0.0. This can occur when used with untrusted input, due to unsafe PAC file handling. NOTE: The fix for this vulnerability is applied in the node-degenerator library, a dependency written by the same maintainer.
ip SSRF improper categorization in isPublic
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
Improper parsing of octal bytes in netmask
Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.
:exclamation: NOTE: The fix for this issue was incomplete. A subsequent fix was made in version 2.0.1 which was assigned CVE-2021-29418 / GHSA-pch5-whg9-qr2r. For complete protection from this vulnerability an upgrade to version 2.0.1 or later is recommended.
netmask npm package mishandles octal input data
The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918.
