"Machine-In-The-Middle" Vulnerability Caused by https-proxy-agent Dependency

[JaxonWright]

This was an NPM advisory that was published earlier today. Running npm audit fix does not solve the problem. Seems like the fix is as simple as updating this dependency for angular-cli.

                       === npm audit security report ===                        
                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             
                                                                                
          Visit https://go.npm.me/audit-guide for additional guidance           


  High            Machine-In-The-Middle                                         

  Package         https-proxy-agent                                             

  Patched in      >=3.0.0                                                       

  Dependency of   @angular/cli [dev]                                            

  Path            @angular/cli > @schematics/update > pacote >                  
                  make-fetch-happen > https-proxy-agent                         

  More info       https://npmjs.com/advisories/1184                             

View More

 High            Machine-In-The-Middle                                         

  Package         https-proxy-agent                                             

  Patched in      >=3.0.0                                                       

  Dependency of   @angular/cli [dev]                                            

  Path            @angular/cli > pacote > make-fetch-happen >                   
                  https-proxy-agent                                             

  More info       https://npmjs.com/advisories/1184                             


  High            Machine-In-The-Middle                                         

  Package         https-proxy-agent                                             

  Patched in      >=3.0.0                                                       

  Dependency of   @angular/cli [dev]                                            

  Path            @angular/cli > @schematics/update > pacote >                  
                  npm-registry-fetch > make-fetch-happen > https-proxy-agent    

  More info       https://npmjs.com/advisories/1184                             


  High            Machine-In-The-Middle                                         

  Package         https-proxy-agent                                             

  Patched in      >=3.0.0                                                       

  Dependency of   @angular/cli [dev]                                            

  Path            @angular/cli > pacote > npm-registry-fetch >                  
                  make-fetch-happen > https-proxy-agent                         

  More info       https://npmjs.com/advisories/1184    

[UrinStone]

Same here. Happened after installing firebase-tools.

[fcilurzo]

So what I need to do exactly to fix this?

[stabback]

TooTallNate/proxy-agents#84 (comment)

Temporary workaround until https-proxy-agent releases a patch to 2.2.x or the dependency chain is updated.

[alan-agius4]

Related issue: npm/make-fetch-happen#5 and fix: npm/make-fetch-happen#6 from upstream package.

[nikhilkapoorephesoft]

When can we expect a permanent fix on this?

[alan-agius4]

@nikhilkapoorephesoft this is currently marked as blocked as we are waiting on an upstream fix npm/make-fetch-happen#6

[Yorer]

I've tried stabback's workaround, it seemed like working, but I've got back the same issue.

[shaozi]

Does this vulnerability impact production build? Seems only dev?

[Eonasdan]

version 2.2.3 was release with the 3.0 patch for this per issue 84

[trotyl]

Does this vulnerability impact production build? Seems only dev?

Technically speaking there doesn't seem to be real vulnerability impact, but only developer experience issue caused by the warning. pacote is used by ng add and ng update to retrieve latest package metadata info for checking compatibility, equivalent to some calls like http://unpkg.com/@angular/core/package.json, I don't think intercepting that could cause some security issue, except for letting others know you're using Angular.

[Lagombi]

To anyone as clueless as me, npm audit fix now resolves this issue.

[clydin]

This can now be fixed with an update to the package in question to 2.2.3 or via an npm audit fix.

[melroy89]

Uhm actually I still get issues after I run npm audit fix:

fixed 0 of 21 vulnerabilities in 29087 scanned packages
  21 vulnerabilities required manual review and could not be updated

Did I forgot something? I even tried ng update besides npm audit fix, I couldn't get it working.

I see, by looking to the .lock file, that npm has a dependency with this https-proxy-agent package:
Maybe npm package should be updated?

            "https-proxy-agent": {
               "version": "2.2.2",
               "bundled": true,
               "requires": {
                  "agent-base": "^4.3.0",
                  "debug": "^3.1.0"
               }
            },

Top of the npm audit output:

                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Machine-In-The-Middle                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ https-proxy-agent                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.2.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npm > libcipm > pacote > make-fetch-happen >                 │
│               │ https-proxy-agent                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1184                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Machine-In-The-Middle                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ https-proxy-agent                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.2.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npm > libnpm > pacote > make-fetch-happen >                  │
│               │ https-proxy-agent                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1184                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Machine-In-The-Middle                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ https-proxy-agent                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.2.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npm > pacote > make-fetch-happen > https-proxy-agent         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1184                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Machine-In-The-Middle                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ https-proxy-agent                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.2.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npm > libcipm > pacote > npm-registry-fetch >                │
│               │ make-fetch-happen > https-proxy-agent                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1184                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Machine-In-The-Middle                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ https-proxy-agent                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.2.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npm > libnpm > pacote > npm-registry-fetch >                 │
│               │ make-fetch-happen > https-proxy-agent                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1184                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Machine-In-The-Middle                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ https-proxy-agent                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.2.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npm > pacote > npm-registry-fetch > make-fetch-happen >      │
│               │ https-proxy-agent                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1184                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Machine-In-The-Middle                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ https-proxy-agent                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.2.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npm > libnpm > libnpmaccess > npm-registry-fetch >           │
│               │ make-fetch-happen > https-proxy-agent                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1184                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Machine-In-The-Middle                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ https-proxy-agent                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.2.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npm > libnpmaccess > npm-registry-fetch > make-fetch-happen  │
│               │ > https-proxy-agent                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1184                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Machine-In-The-Middle                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ https-proxy-agent                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.2.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npm > libnpm > libnpmhook > npm-registry-fetch >             │
│               │ make-fetch-happen > https-proxy-agent                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1184                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Machine-In-The-Middle                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ https-proxy-agent                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.2.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npm > libnpmhook > npm-registry-fetch > make-fetch-happen >  │
│               │ https-proxy-agent                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1184                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Machine-In-The-Middle                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ https-proxy-agent                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.2.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npm > libnpm > libnpmorg > npm-registry-fetch >              │
│               │ make-fetch-happen > https-proxy-agent                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1184                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

[clydin]

That appears to be an npm issue. The dependency within make-fetch-happen allows for the use of 2.2.3: https://github.com/npm/make-fetch-happen/blob/052b5b7c36116f01de1aca080acd3a592d14acfa/package.json#L40

If npm is not cooperating, there is also the option to remove both the node modules folder and the lock file and install again.

[melroy89]

@clydin I tried removing the package-lock.json file and node_modules directory without luck. I don't get npm to install the latest version (v3) of https-proxy-agent, still causing issues with npm audit.

The latest version should use 2.2.3: https://github.com/npm/make-fetch-happen/blob/latest/package.json#L40

[homestar9]

@Danger89 Were you able to get npm audit fix to work? I also am having a similar issue even after removing the package-lock.json and purging node_modules.

[melroy89]

No I'm not! Than we are facing the same problem... :(

I'm still getting:

fixed 0 of 21 vulnerabilities in 29087 scanned packages
  21 vulnerabilities required manual review and could not be updated

[Jaked222]

Same 21 vulnerabilities in my React app. Are there any other threads tracking this issue? Seems like npm won't update the latest version of https-proxy-agent. I am able to repro after deleting node_modules and package-lock.json, and running npm install -> npm audit fix (vulnerabilities are not resolved) -> npm audit.

Edit: Actually, maybe npm isn't updating to 3.0 of https-proxy-agent because it is a new major version?

[w5922xd]

This is the only thread I've seen.

Same issue for me. 21 vulnerabilities requiring manual review. No clear way to resolve the problem.

[homestar9]

This might be random, but do you have "npm" listed as a dependency in your package.json file?
Example: "npm": "^6.12.0"

Try removing it, delete your node_modules folder, and then type npm install. Does that work?
I'm not sure why "npm" was in my list of dependencies, but removing it fixed the problem for me.

[w5922xd]

@homestar9 I was looking at that yesterday trying to figure out why I had that same version "npm": "^6.12.0". Followed your suggestion - deleted node_modules and ran npm install. No issues with security vulnerabilities now.

Thanks for your help!

[Jaked222]

Yep, this solved it for me too.

Not only is including npm as a dependency unnecessary, it probably bloats the package size and (i believe?) prevents the included npm package from updating its dependencies to major versions (with possible breaking changes)

Thanks @homestar9

[JaxonWright]

I see no reason why you would ever want to include npm in your package. I'm kind of surprised that npm does not warn you about that.

[melroy89]

Try removing npm from the dependency list, delete your node_modules folder, and then type npm install. Does that work?
I'm not sure why "npm" was in my list of dependencies, but removing it fixed the problem for me.

Yep that worked! 👍 I have no idea why this actually solved the problem. Since that means that there IS a security problem within npm package itself. Correct me if I'm wrong.

EDIT: Secondly, is it a bad practice to add npm to the package.json dependencies? Or do we remove npm now as a workaround?

[shim-sao]

Here is my solution with npm:

1 - Remove npm from dependencies or devDependencies

2- Add it to the engines, its place is there.
For example:

"engines": {
    "node": ">=10.0.0",
    "npm": ">=6.0.0"
  }

3 - Run npm prune to clean up the modules of the project

removed 430 packages and audited 749 packages in 14.787s
found 0 vulnerabilities

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}