The proxy npm package, an HTTP proxy server implementation in Node.js reminiscent of Squid, has been updated from version 2.0.1 to 2.1.0. While the core dependencies remain consistent between the two versions, including args for argument parsing, debug for debugging utilities, and basic-auth-parser for handling basic authentication, there are changes that are relevant for developers. Both versions share the same development dependencies for testing, TypeScript compilation, and type definitions hinting at a consistent development environment and code quality standards. This includes packages like jest, ts-jest, typescript, and various @types packages. The license, repository and author information haven't changed, indicating continued maintenance and open-source commitment by Nathan Rajlich.
The key difference lies in the dist object. Version 2.1.0 exhibits a minor increase in the unpacked size of the package, going from 51008 bytes in version 2.0.1 to 51126 bytes. While seemingly small, this change suggests that the newer version may contain bug fixes, performance improvements, or slight alterations to existing features. Also, the release date shows that version 2.1.0 was published on May 12, 2023, about one week after version 2.0.1 (May 5, 2023). Developers considering upgrading should evaluate whether these minor changes address specific needs or potential issues encountered in the previous version. Given the negligible size difference, the upgrade is likely safe, but developers should still regression test their integrations.
All the vulnerabilities related to the version 2.1.0 of the package
proxy denial of service vulnerability
A remote attacker can trigger a denial of service in the socket.remoteAddress variable, by sending a crafted HTTP request. Usage of the undefined variable raises a TypeError exception.
