agent-base dependency causes override of http.request that breaks other node libraries/apps

[apexad]

Please do not report security vulnerabilities here. The Responsible Disclosure Program details the procedure for disclosing security issues.

Thank you in advance for helping us to improve this library! Please read through the template below and answer all relevant questions. Your additional work here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community or Auth0 Support. Finally, to avoid duplicates, please search existing Issues before submitting one here.

By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct.

Description

agent-base 4.x has known issues that break http.request
It has been requested to get this fixed, but the author is not responded.
See TooTallNate/node-proxy-agent#51

Output of npm ls agent-base

└─┬ [email protected]
│   └─┬ [email protected]
│     └─┬ [email protected]
│       └─┬ [email protected]
│         ├── [email protected]
│         ├─┬ [email protected]
│         │ └── [email protected]  deduped
│         ├─┬ [email protected]
│         │ └── [email protected]  deduped
│         ├─┬ [email protected]
│         │ └── [email protected]  deduped
│         └─┬ [email protected]
│           └── [email protected]

If possible, please use a different library in place of rest-facade or implement it directly into the auth0 library to avoid this dependency. Alternatively, an edited package-lock.json with agent-base 6.x (which is fixed) would work.

Reproduction

N/A, don't have an instance where this is done without having specific hardware that connects tp auth0. However, the issues with including any dependency that relies on old version of agent-base is well documented.

Environment

Node 10.x/Node 12.x

Please provide the following:

• Version of this library used: 2.25.1
• Version of the platform or framework used, if applicable:
• Other relevant versions (language, server software, OS, browser):
• Other modules/plugins/libraries that might be involved:

[apexad]

Likely the cause of the issues reported in #489 as well

[jsumners]

This breaks any HTTPS request through the got library. Please update your dependency tree to remove this core patching nonsense.

[jimmyjames]

Thanks for the detailed info here @apexad.

Ultimately, this issue will need to be resolved with an update to node-proxy-agent and then an updated dependency change to rest-facade to use the fixed version. At that point we can update the dependencies of this SDK.

[jsumners]

@jimmyjames did you just "close won't fix" this?

[apexad]

@jimmyjames Agree with @jsumners that this is not really a good response to this issue. Perhaps you need to find a new library to use instead of rest-facade or implement whatever is used in that library directly into this one so that it can no longer be a dependency. It appears node-proxy-agent is abandoned and is a security risk waiting to happen.

[davidpatrick]

Opened a PR to the underlying library that updates agent-base to v6 TooTallNate/node-proxy-agent#55

[apexad]

Opened a PR to the underlying library that updates agent-base to v6 TooTallNate/node-proxy-agent#55

Let’s hope TooTallNate merges it. Seems like a small change he could have easily done himself with all the issues open for it.