kevva / caw Goto Github PK
View Code? Open in Web Editor NEWConstruct HTTP/HTTPS agents for tunneling proxies
License: MIT License
Construct HTTP/HTTPS agents for tunneling proxies
License: MIT License
Hello,
Will be great to support NO_PROXY variables like request module
ex: https://github.com/request/request/blob/master/lib/getProxyFromURI.js#L40
This is an standard in *nix systems:
https://www.gnu.org/software/emacs/manual/html_node/url/Proxies.html
Vulnerability described in more detail here: https://snyk.io/vuln/npm:tunnel-agent:20170305
I'm not sure if caw is using tunnel-agent in a way that this vulnerability is exploitable, but it looks like tunnel agent should be safe to update (the only change to it since 2015 was to address this vulnerability) and doing so will save the whole ecosystem from getting Snyk warnings about this.
I'm happy to submit a PR, but I think it's just a package.json change.
env var override:
caw({
proxyUrl: 'http://proxy/'
})
proxy headers:
caw({
proxyHeaders: {
'user-agent': 'my app'
}
})
It doesn't support NO_PROXY
and does not take an input URL (or protocol) to discern which env var to use, as there can be multiple. Meanwhile, proxy-from-env does all of this and more.
tunnel-agent, not tunnel
You may already be aware of this issue, but I figured I'd post it here anyway, just in case I'm wrong. (I don't see it already posted.)
When running an npm audit
on my Laravel project, I get several Moderate security vulnerabilities related to the tunnel-agent
dependency. It seems there is a patch available, but it requires that you update caw
so that it will use tunnel-agent
version >=0.6.0
:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ laravel-mix [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ laravel-mix > img-loader > imagemin-gifsicle > gifsicle > │
│ │ bin-build > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
The 2.0.0 version also contains a vulnerability introduced through the [email protected]
package, which you updated to the 0.6.0
version in [email protected]
, but didn't published.
It would be nice if the GitHub package was the same as the one in the npm registry.
Should we care about them?
Don't use url.parse()
as it will most likely be deprecated within a few years.
I'm having trouble getting caw
to work with got
, and I'm trying to figure out whether the issue is because of the proxy itself or because of how I'm configuring caw
. If my proxy IP is something like 1.2.3.4
and port is 555
and it's an HTTPS
proxy, should the string argument be exactly https://1.2.3.4:555
, or does it expect it in a different format?
Couldn't get the tests to work so I'm not 100% this works. @floatdrop, you'd probably know how to fix this I guess :).
Hi,
Not sure this is the correct module as the error seems to stem from bin-wrapper, but surface in caw.
https://gist.github.com/AlexMeah/7e68c4d1df08d1d28879
It looks as though in bin-wrapper you new
an instance of download without proxy, then in download pass this.opts.proxy
which is undefined
through to caw which then assigns undefined
to opts
.
Cheers.
as they needn't be single-use.
How can I pass caw
a username/password required by the proxy I want to use?
Environmental variables can't do this, but something like os-proxy might.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.