Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use proxy-agent instead of superagent-proxy #5042

Closed

Conversation

szaboopeeter
Copy link

@szaboopeeter szaboopeeter commented Oct 1, 2023

Use proxy-agent instead of superagent-proxy to get rid of vm2

Resolves: #5035, resolves: #5030, resolves: #4921

vm2 is a deprecated package with critical security issues.

For details see:

@ionic-cli has vm2 in its dependency tree via superagent-proxy@3.0.0
image

There has been multiple issues and PRs in superagent-proxy about this. See TooTallNate/superagent-proxy#50 for example. But even after months, no solution has been taken in their repo. Which prompted many of the consumers of this library to just cut superagent-proxy and fall back to proxy-agent.

One such examples is Microsoft's appcenter-cli, whose approach I followed. Refer to for details on their corresponding PR: microsoft/appcenter-cli#2387

Note: proxy-agent has already gotten rid of vm2as a dependency: TooTallNate/proxy-agents#224

Test results

Tested the change locally by:

  • Pointing Ionic CLI to local instance following the repo's Contribution Guide,
  • setting HTTPS_PROXY env variable to a local proxy instance (Charles Proxy)

See below:
image

@szaboopeeter szaboopeeter force-pushed the remove-superagent-proxy branch from bb7a387 to 3a17d2a Compare October 1, 2023 09:38
@dtarnawsky dtarnawsky requested a review from liamdebeasi October 9, 2023 13:32
@szaboopeeter
Copy link
Author

This solution is not complete, I'm not sure how I missed this - apparently the npm commands I ran to build/watch this were not building what I expected. Will close this for now, and re-open if I have time to clean it up.
But either way - reading through the discussions linked in the description I still think this is probably the best route to take sans superagent-proxy pushing a new version with upgarded proxy-agent.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
1 participant