chore(remix-dev): update proxy-agent dependency

[roughee]

Fixes #6833

[remix-cla-bot]

Hi @roughee,

Welcome, and thank you for contributing to Remix!

Before we consider your pull request, we ask that you sign our Contributor License Agreement (CLA). We require this only once.

You may review the CLA and sign it by adding your name to contributors.yml.

Once the CLA is signed, the CLA Signed label will be added to the pull request.

If you have already signed the CLA and received this response in error, or if you have any questions, please contact us at [email protected].

Thanks!

- The Remix team

[changeset-bot]

⚠️ No Changeset found

Latest commit: b923517

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[remix-cla-bot]

Thank you for signing the Contributor License Agreement. Let's get this merged! 🥳

[lukehsiao]

This fixes a critical security vuln for everyone that uses Remix. Do we have any estimates when this will release once it merges?

[rickbatka]

Any maintainers want to weigh in on this? npm audit is now reporting critical vulnerabilities for everyone using Remix.

FWIW, I tried using a "resolutions" override in my Remix app to force proxy-agent to 6.3.0, and it breaks remix build:

  "resolutions": {
    "proxy-agent" : "^6.3.0",
}

Then ran:

yarn install
yarn build

Here is the output from remix build:

/workspaces/platform/web/node_modules/@remix-run/dev/dist/cli/create.js:67
const defaultAgent = new ProxyAgent__default["default"]();
                     ^

TypeError: ProxyAgent__default.default is not a constructor
    at Object.<anonymous> (/workspaces/platform/web/node_modules/@remix-run/dev/dist/cli/create.js:67:22)
    at Module._compile (node:internal/modules/cjs/loader:1255:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1309:10)
    at Module.load (node:internal/modules/cjs/loader:1113:32)
    at Module._load (node:internal/modules/cjs/loader:960:12)
    at Module.require (node:internal/modules/cjs/loader:1137:19)
    at require (node:internal/modules/helpers:121:18)
    at Object.<anonymous> (/workspaces/platform/web/node_modules/@remix-run/dev/dist/cli/commands.js:56:16)
    at Module._compile (node:internal/modules/cjs/loader:1255:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1309:10)
    at Module.load (node:internal/modules/cjs/loader:1113:32)
    at Module._load (node:internal/modules/cjs/loader:960:12)
    at Module.require (node:internal/modules/cjs/loader:1137:19)
    at require (node:internal/modules/helpers:121:18)
    at Object.<anonymous> (/workspaces/platform/web/node_modules/@remix-run/dev/dist/cli/run.js:22:16)
    at Module._compile (node:internal/modules/cjs/loader:1255:14)

Node.js v20.2.0
error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.

Rebuilding...
ERROR: "dev:remix" exited with 1.
error Command failed with exit code 1.

I worry that this PR might not go far enough to fix the issue - it might clear the vulnerability warning, while also breaking the remix compiler.

But I'm just taking a guess.

[roughee]

@rickbatka

you are welcome to try yourself on the remix repo it builds just fine.

git checkout dev
yarn install
npx playwright install
yarn build
yarn test

then

cd packages
cd remix-dev
yarn upgrade proxy-agent@^6.3.0
cd ..
cd ..
yarn install
yarn build
yarn test

[roughee]

@machour fixed the import it should resolve the CI build.

[machour]

@roughee Thank you so much for your work on this PR, but the security issue seems to have been fixed as part as a larger PR (#6887)

@brophdawg11 Do you think we will cut 1.19.1 to address the issue, or will this have to wait for the incoming major bump?

I leave it up to you to close this PR.

[averypelle]

@machour @brophdawg11 I would advocate in favor of a patch release containing just this change.

If the larger PR is part of a breaking change, many codebases will be exposed to this vulnerability for a much longer time, i.e. until they figure out how to migrate to the latest major version.

Importantly, vercel remains exposed to this critical security vulnerability via its dependency on this project vercel/vercel#10222 . A patch version would allow for a much quicker resolution for that repo and the many codebases that use it.

[rickbatka]

@machour @brophdawg11 I would advocate in favor of a patch release containing just this change.

If the larger PR is part of a breaking change, many codebases will be exposed to this vulnerability for a much longer time, i.e. until they figure out how to migrate to the latest major version.

Importantly, vercel remains exposed to this critical security vulnerability via its dependency on this project vercel/vercel#10222 . A patch version would allow for a much quicker resolution for that repo and the many codebases that use it.

I agree, my codebase is one of those affected (we are on 1.18). This really should go out as a patch release for all supported versions of Remix. The vulnerability is quite serious (maintainer pulled his package and made various statements online).

[quinn]

I think this is an appropriate patch release on the 1.19 series given the critical vulnerability. I'd like to get this updated and clear my security alerts :)

[brophdawg11]

We've got another fix we'd like to put out in a 1.19.2 so I cherry-picked these into #7027 to include as well

[brophdawg11]

Also cross-posting this comment for visibility. This is not a vulnerability with your runtime app. This is something only used by the create-remix CLI tool, which is currently part of @remix-run/dev which is why you're seeing the npm warning. Your production application is not using the create-remix CLI, and thus is not impacted. It's just a symptom of the design of npm audit (tl;dr;)