node-proxy-agents - Debian Package Tracker

general

source: node-proxy-agents (main)
version: 0~2025070717+~cs15.3.8-1
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Israel Galadima [DMD]
arch: all
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

stable: 0~2024040606-6+deb13u1
testing: 0~2025070717+~cs15.3.7-1
unstable: 0~2025070717+~cs15.3.8-1

versioned links

0~2024040606-6+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0~2025070717+~cs15.3.7-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0~2025070717+~cs15.3.8-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

node-agent-base
node-args
node-basic-ftp
node-data-uri-to-buffer
node-degenerator
node-get-uri
node-http-proxy-agent
node-https-proxy-agent
node-pac-proxy-agent
node-pac-resolver
node-proxy
node-proxy-agent
node-socks-proxy-agent

action needed

A new upstream version is available: 0~2026050400+~cs16.0.8 high

A new upstream version 0~2026050400+~cs16.0.8 is available, you should consider packaging it.

Created: 2026-03-07 Last update: 2026-05-17 11:30

3 security issues in trixie high

There are 3 open security issues in trixie.

1 important issue:

CVE-2026-44240: basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before authentication. The client keeps appending attacker-controlled data into FtpContext._partialResponse and repeatedly reparses the accumulated buffer without enforcing a maximum control response size. As a result, an application using basic-ftp can remain stuck in connect() while memory and CPU usage grow under attacker-controlled input. This can lead to process-level denial of service, container OOM kills, worker restarts, queue backlog, or service degradation in applications that automatically connect to FTP endpoints. This vulnerability is fixed in 5.3.1.

2 issues left for the package maintainer to handle:

CVE-2026-39983: (needs triaging) basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1.
CVE-2026-41324: (needs triaging) basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to `Client.list()`, causing the client process to consume memory until it becomes unstable or crashes. Version 5.3.0 fixes the issue.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-04-18 Last update: 2026-05-15 19:02

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2026-44240: basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before authentication. The client keeps appending attacker-controlled data into FtpContext._partialResponse and repeatedly reparses the accumulated buffer without enforcing a maximum control response size. As a result, an application using basic-ftp can remain stuck in connect() while memory and CPU usage grow under attacker-controlled input. This can lead to process-level denial of service, container OOM kills, worker restarts, queue backlog, or service degradation in applications that automatically connect to FTP endpoints. This vulnerability is fixed in 5.3.1.

Created: 2026-05-14 Last update: 2026-05-15 19:02

Multiarch hinter reports 1 issue(s) normal

There are issues with the multiarch metadata for this package.

node-pac-resolver could be marked Multi-Arch: foreign

Created: 2025-10-30 Last update: 2026-05-17 09:30

Fails to build during reproducibility testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2025-09-24 Last update: 2026-05-17 08:30

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2026-05-15 Last update: 2026-05-15 22:30

debian/patches: 1 patch to forward upstream low

Among the 7 debian patches available in version 0~2025070717+~cs15.3.8-1 of the package, we noticed the following issues:

1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2025-11-01 Last update: 2026-05-16 00:00

testing migrations

excuses:
- Migration status for node-proxy-agents (0~2025070717+~cs15.3.7-1 to 0~2025070717+~cs15.3.8-1): Waiting for test results or another package, or too young (no action required now - check later)
- Issues preventing migration:
- ∙ ∙ Autopkgtest for node-corepack/0.24.0-5: amd64: Pass, arm64: Pass, i386: Test triggered, loong64: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for node-fetch/3.3.2+~cs11.4.11-3: amd64: Pass, arm64: Pass, i386: Test triggered, loong64: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for node-gyp/12.3.0+~6.1.0-1: amd64: Pass, arm64: Pass, i386: Test triggered, loong64: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for node-jsdom/20.0.3+~cs124.18.21-6: amd64: Pass, arm64: Pass, i386: Test triggered, loong64: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for node-pre-gyp/1.0.11+~2.0.3-3: amd64: Pass, arm64: Pass, i386: Test triggered, loong64: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for node-proxy-agents/0~2025070717+~cs15.3.8-1: amd64: Pass, arm64: Pass, i386: Test triggered, loong64: Test triggered, ppc64el: No tests, superficial or marked flaky ♻, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for node-undici/7.24.6+dfsg+~cs3.2.0-2: amd64: Pass, arm64: Pass, i386: Test triggered, loong64: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for node-ws/8.19.0+~cs14.19.1-1: amd64: Pass, arm64: Pass, i386: Test triggered, loong64: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for npm/11.12.1~ds1-4: amd64: Pass, arm64: Pass, i386: Test triggered, loong64: Test triggered (will not be considered a regression) ♻ (reference ♻), ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Too young, only 2 of 5 days old
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/n/node-proxy-agents.html
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- Not considered

news

[rss feed]

[2026-05-15] Accepted node-proxy-agents 0~2025070717+~cs15.3.8-1 (source) into unstable (Xavier Guimard)
[2026-04-29] node-proxy-agents 0~2025070717+~cs15.3.7-1 MIGRATED to testing (Debian testing watch)
[2026-04-24] Accepted node-proxy-agents 0~2025070717+~cs15.3.7-1 (source) into unstable (Xavier Guimard)
[2026-03-08] Accepted node-proxy-agents 0~2024040606-6+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2026-03-04] node-proxy-agents 0~2025070717+~cs15.2.7-1 MIGRATED to testing (Debian testing watch)
[2026-02-27] Accepted node-proxy-agents 0~2025070717+~cs15.2.7-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2025-11-06] node-proxy-agents 0~2025070717-6 MIGRATED to testing (Debian testing watch)
[2025-11-01] Accepted node-proxy-agents 0~2025070717-6 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2025-10-26] Accepted node-proxy-agents 0~2025070717-5 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2025-10-26] Accepted node-proxy-agents 0~2025070717-4 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2025-10-26] Accepted node-proxy-agents 0~2025070717-3 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2025-09-25] node-proxy-agents 0~2025070717-2 MIGRATED to testing (Debian testing watch)
[2025-08-29] Accepted node-proxy-agents 0~2025070717-2 (source) into unstable (Jérémy Lal)
[2025-08-22] Accepted node-proxy-agents 0~2025070717-1 (source) into unstable (Jérémy Lal)
[2025-05-24] node-proxy-agents 0~2024040606-6 MIGRATED to testing (Debian testing watch)
[2025-05-20] Accepted node-proxy-agents 0~2024040606-6 (source) into unstable (Jérémy Lal)
[2025-01-31] node-proxy-agents 0~2024040606-5 MIGRATED to testing (Debian testing watch)
[2025-01-25] Accepted node-proxy-agents 0~2024040606-5 (source) into unstable (Jérémy Lal)
[2024-08-07] node-proxy-agents 0~2024040606-4 MIGRATED to testing (Debian testing watch)
[2024-08-01] Accepted node-proxy-agents 0~2024040606-4 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2024-04-24] node-proxy-agents 0~2024040606-3 MIGRATED to testing (Debian testing watch)
[2024-04-22] Accepted node-proxy-agents 0~2024040606-3 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-04-19] Accepted node-proxy-agents 0~2024040606-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-04-07] Accepted node-proxy-agents 0~2024040606-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-12-07] node-proxy-agents 0~2023071921-5 MIGRATED to testing (Debian testing watch)
[2023-11-29] Accepted node-proxy-agents 0~2023071921-5 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-11-24] Accepted node-proxy-agents 0~2023071921-4 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-11-24] Accepted node-proxy-agents 0~2023071921-3 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-11-23] Accepted node-proxy-agents 0~2023071921-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-11-11] Accepted node-proxy-agents 0~2023071921-1 (source all) into experimental (Debian FTP Masters) (signed by: Xavier Guimard)

bugs [bug history graph]

all: 0

links

homepage
lintian (0, 1)
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 0~2025070717+~cs15.2.7-1build1