I am pretty sure that this error appeared only today and it never occurred before. When I create a new react app, the process found 1 high vulnerability:
High: Denial of Service
Package: http-proxy
Patched in: No patch available
Dependency of: react-scripts
Path: react-scripts > webpack-dev-server > http-proxy-middleware > http-proxy
More info: https://npmjs.com/advisories/1486
(My version of "react-scripts" is 3.4.1). Of course, "npm audit fix" doesn't work.
What can I do about it? Is it something to care about or I can work normally?
All versions of http-proxy are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.
For a proxy server running on http://localhost:3000, the following curl request triggers the unhandled exception: curl -XPOST http://localhost:3000 -d "$(python -c 'print("x"*1025)')"
No fix is currently available. Consider using an alternative package until a fix is made available.
But for the time being, you can work normally. It should not cause any type of working anomaly as of now.
Upgrade to http-proxy 1.18.1+ which contains a fix for the security issue detailed. NPM have now updated their security APIs to include the information that this issue is now resolved.
See https://github.com/http-party/node-http-proxy/issues/1446 for more info
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With