node-http-proxy icon indicating copy to clipboard operation
node-http-proxy copied to clipboard
verified publisher icon http-party

node-http-proxy

Open kasasusmitha12 opened this issue 1 year ago • 2 comments

We need to upgrade this version "1.15.6" . We have found a vulnerability in the "follow-redirects" package. Please consider upgrading and releasing new release notes for the package. Here I am providing CVE and Vendor Advisories CVE - https://nvd.nist.gov/vuln/detail/CVE-2024-28849 Vendor Advisories -https://github.com/follow-redirects/follow-redirects/releases/tag/v1.15.6 -https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b -https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp

kasasusmitha12 avatar Apr 02 '24 08:04 kasasusmitha12

Updating your dependency lock-file should resolve this issue.

follow-redirects is configured with ^ so you should be able to get the minor versions

https://github.com/http-party/node-http-proxy/blob/9b96cd725127a024dabebec6c7ea8c807272223d/package.json#L14-L18

chimurai avatar Apr 02 '24 16:04 chimurai

Like the above comment updating the lock file should solve the issue

ravin00 avatar Oct 27 '24 19:10 ravin00