Update proxy-agent
Closed this issue ยท 5 comments
There is a recent security advisory on proxy-agent 3.1.1 that used by winston-cloudwatch. The only option currently is to upgrade to 4.x
To add on to this, I've just received a high severity vulnerability alert from GitHub re: the netmask
package, which needs to be upgraded to v2.0.1. The dependency graph is: winston-cloudwatch
< proxy-agent
< pac-proxy-agent
< pac-resolver
< netmask
.
I've just checked and updating proxy-agent
to v4 does not change the fact that the underlying dependencies still use netmask
v1.0.6, instead of the patched v2.0.1, so I've posted to the pac-resolver
library requesting an update to the netmask
library.
Hopefully pac-resolver won't need to increment the major version to do this; if so we will need pac-proxy-agent to be modified.
pac-resolver
has now been bumped to 4.2.0 to resolve the netmask
issue: https://github.com/TooTallNate/node-pac-resolver/releases
I think that means an update to proxy-agent
will be sufficient to fix this within winston-cloudwatch
?
Yes, the entire chain is updated, except this last bit.