Please create a 2.x branch and pull in this commit and publish

[AaronFriel]

This will unblock many, many people who are unable to resolve npm audit errors in their CI/CD system.

AaronFriel@25d3006

[stabback]

Update Oct 22/2019

This should no longer be an issue, so do not follow the below steps. If you're coming from the future, this will likely not solve your problem.

See #84 (comment) around the resolution. 2.2.3 of https-proxy-agent has been released.

If you have followed the below, remove the workaround with:

1. npm uninstall npm-force-resolutions
2. Remove the resolutions member from your package.json
3. Remove your package-lock.json and node_modules

rm -r node_modules
rm package-lock.json

4. Install everything npm i
5. Re-run your audit npm audit

---

Original fix

In case anyone else's deploys are stuck on this - https://www.npmjs.com/package/npm-force-resolutions may help you out while this is addressed, or while your dependencies update their dependencies (which may need to update their dependencies...)

1. npm i --save-dev npm-force-resolutions
2. Add this to your package.json

    "resolutions": {
        "https-proxy-agent": "^3.0.0"
    }

3. Let npm-force-resolutions do it's thing

rm -r node_modules
npx npm-force-resolutions
npm install

4. re-run your audit npm audit.

This will force your dependencies to update to 3.0.1 as of right now. The bump from 2.2.2 to 3.0.0 can be read about here: https://github.com/TooTallNate/node-https-proxy-agent/releases/tag/3.0.0

Summary of major changes:

• Remove Node 5 and 7 from Travis: 590bc8b
• Remove Node 4 from Travis: 6c804a2

So if you're not running those versions of node, you should be fine. Run your tests, and ensure your application is running fine manually.

Remember to get rid of this workaround as soon as either

1. The security fix is properly applied to 2.2.x
2. All of your various dependencies update their versions.

[jsphkm]

Thanks, I can confirm that this worked. However, the message came back when I removed a package that is dependent of https-proxy-agent

In that case, I ran the commands again to fix it

rm -r node_modules
npx npm-force-resolutions
npm install

[manoharreddyporeddy]

With above steps, it only temporarily goes away. npm i gets the issue back.

[louislva]

@TooTallNate would you be able to publish/merge @AaronFriel's patch?

[ineffyble]

Please do this.

[khitrenovich]

I see that v2.2.3 with the same fix was released couple of hours ago. Is anybody aware about the right way to update the advisory so that npm audit will treat v2.2.3 as patched?

[XhmikosR]

https://help.github.com/en/github/managing-security-vulnerabilities/about-security-alerts-for-vulnerable-dependencies#data-sources-for-security-alerts

Someone should contact GitHub to speed things up.

[khitrenovich]

I just pinged npm security team via email, not sure what's the right way to fix GitHub audit.

[khitrenovich]

I just pinged npm security team via email, not sure what's the right way to fix GitHub audit.

The npm advisory was just updated to mention 2.2.3 as not vulnerable - https://www.npmjs.com/advisories/1184/versions

[TooTallNate]

Done in v2.2.3.