npm 6.12.1 has high severity vulnerability


When installing npm@6.12.1 (latest), npm audit flags the “https-proxy-agent” package as a high severity vulnerability.

Even though the “make-fetch-happen” package has fixed its versioning, the fix hasn’t yet made its way to an npm release.

When can we expect an npm release with this vulnerability resolved?


What I Wanted to Do

I wanted to install the “npm” package and not have any dependencies flagged.

What Happened Instead

npm audit flagged 21 high severity vulnerabilities, all of which were the same package.

Reproduction Steps

  1. mkdir repro && cd repro
  2. npm init
  3. npm install --save-dev npm@latest

EDIT: updated to reflect the vulnerability still being in 6.12.1

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.