Update proxy-agent
Closed this issue ยท 5 comments
There is a recent security advisory on proxy-agent 3.1.1 that used by winston-cloudwatch. The only option currently is to upgrade to 4.x
To add on to this, I've just received a high severity vulnerability alert from GitHub re: the netmask package, which needs to be upgraded to v2.0.1. The dependency graph is: winston-cloudwatch < proxy-agent < pac-proxy-agent < pac-resolver< netmask.
I've just checked and updating proxy-agent to v4 does not change the fact that the underlying dependencies still use netmask v1.0.6, instead of the patched v2.0.1, so I've posted to the pac-resolver library requesting an update to the netmask library.
Hopefully pac-resolver won't need to increment the major version to do this; if so we will need pac-proxy-agent to be modified.
pac-resolver has now been bumped to 4.2.0 to resolve the netmask issue: https://github.com/TooTallNate/node-pac-resolver/releases
I think that means an update to proxy-agent will be sufficient to fix this within winston-cloudwatch?
Yes, the entire chain is updated, except this last bit.