npm 6.12.1 has high severity vulnerability

Hello,

When installing npm@6.12.1 (latest), npm audit flags the “https-proxy-agent” package as a high severity vulnerability.

Even though the “make-fetch-happen” package has fixed its versioning, the fix hasn’t yet made its way to an npm release.

When can we expect an npm release with this vulnerability resolved?

Thanks!

What I Wanted to Do

I wanted to install the “npm” package and not have any dependencies flagged.

What Happened Instead

npm audit flagged 21 high severity vulnerabilities, all of which were the same package.

Reproduction Steps

  1. mkdir repro && cd repro
  2. npm init
  3. npm install --save-dev npm@latest

EDIT: updated to reflect the vulnerability still being in 6.12.1