Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

http-proxy denial of service vulnerability #1768

Merged
merged 3 commits into from
Jul 16, 2020
Merged

http-proxy denial of service vulnerability #1768

merged 3 commits into from
Jul 16, 2020

Conversation

fozzleberry
Copy link
Contributor

@fozzleberry fozzleberry commented Jun 3, 2020
edited
Loading

bumped http-proxy to >=1.18.1 to fix Denial of Service vulenrability from NPM Audit

fixes #1764

REQUIRES DROPPING NODE V6

@fozzleberry fozzleberry changed the title http-proxy denial of service vulnerability #1764 http-proxy denial of service vulnerability Jun 3, 2020
@mattshirlaw-finocomp
Copy link

mattshirlaw-finocomp commented Jun 4, 2020
edited
Loading

@fozzleberry in the comments to the linked issue @denisbrodbeck mentioned that http-proxy 1.18.1 drops support for node 6. Since browser-sync still supports node 6 is this PR going to break anything?

@fozzleberry
Copy link
Contributor Author

fozzleberry commented Jun 4, 2020
edited
Loading

@mattshirlaw-finocomp I assumed it wouldn't have with it only being a minor semver bump. But yes, it will. They bumped the node "engines" to >= 8.0.0

I'm guessing they support the last 3 LTS versions of node only

https://github.com/http-party/node-http-proxy/pull/1397/files

@mattshirlaw-finocomp
Copy link

mattshirlaw-finocomp commented Jun 4, 2020
edited
Loading

Ugh 😢 does anyone know what needs to change in browser-sync to drop support for node 6 and make a minor or major version bump for those of us who don't care about node 6

@fozzleberry
Copy link
Contributor Author

if you need a quick (and dirty) fix you can clone my fork.

Its up to the maintainers how they progress with node 6 support

@fozzleberry fozzleberry changed the title http-proxy denial of service vulnerability http-proxy denial of service vulnerability (deps) Jun 9, 2020
@fozzleberry fozzleberry changed the title http-proxy denial of service vulnerability (deps) http-proxy denial of service vulnerability Jun 9, 2020
@XhmikosR
Copy link
Contributor

@shakyShane that's why dependencies shouldn't be locked :/

I know the downsides, but the approach with locking deps requires someone to be able to act fast, which doesn't seem to be the case for this project.

@jeffschwartz
Copy link

Can we get a status update on this? Is this project dead?

@shakyShane shakyShane merged commit 64f87b9 into BrowserSync:master Jul 16, 2020
@kahlan88 kahlan88 mentioned this pull request Jul 16, 2020
Closed
@shakyShane
Copy link
Contributor

browser-sync@2.26.9 :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shakyShane shakyShane shakyShane approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

http-proxy denial of service vulnerability
5 participants
@fozzleberry @mattshirlaw-finocomp @XhmikosR @jeffschwartz @shakyShane