Skip to content

fix: fix ci with cert issue #11462

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
dhmlau wants to merge 1 commit into from
Closed

fix: fix ci with cert issue #11462

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion packages/http-caching-proxy/src/http-caching-proxy.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,9 @@
import {once} from 'node:events';
import {
createServer,
Server as HttpServer,
IncomingMessage,
OutgoingHttpHeaders,
Server as HttpServer,
ServerResponse,
} from 'node:http';
import {AddressInfo} from 'node:net';
Expand Down Expand Up @@ -89,6 +89,11 @@
// http status code. Please note that Axios creates a new error in such
// condition and the original low-level error is lost
validateStatus: () => true,
// Disable SSL certificate validation for HTTPS requests
// This is acceptable for a testing/caching proxy
httpsAgent: new (require('node:https').Agent)({
rejectUnauthorized: false,

Check failure

Code scanning / CodeQL

Disabling certificate validation High

Disabling certificate validation is strongly discouraged.

Copilot Autofix

AI 1 day ago

In general, the problem is that TLS certificate validation is disabled by setting rejectUnauthorized: false in the custom https.Agent used by Axios. The fix is to avoid disabling validation: either use the default https.Agent (no custom httpsAgent configuration at all), or explicitly set rejectUnauthorized: true. If special handling of self‑signed certificates is needed, it should be done via trusted CA configuration instead, not by turning validation off.

The minimal, non‑breaking change here is to stop passing rejectUnauthorized: false when constructing the agent. Since Node’s default HTTPS agent already enforces certificate validation, the cleanest approach is to remove the custom httpsAgent entirely and let Axios use its default. That preserves all existing behavior except for making TLS secure again. Concretely, in packages/http-caching-proxy/src/http-caching-proxy.ts, within the HttpCachingProxy constructor, we should delete the httpsAgent property (lines 92–96 in the snippet) and the associated comment about disabling SSL validation. No new imports are needed, because we will no longer use require('node:https') here. Axios will automatically use Node’s standard HTTPS handling, which validates certificates.

Suggested changeset 1
packages/http-caching-proxy/src/http-caching-proxy.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/http-caching-proxy/src/http-caching-proxy.ts b/packages/http-caching-proxy/src/http-caching-proxy.ts
--- a/packages/http-caching-proxy/src/http-caching-proxy.ts
+++ b/packages/http-caching-proxy/src/http-caching-proxy.ts
@@ -89,11 +89,6 @@
       // http status code. Please note that Axios creates a new error in such
       // condition and the original low-level error is lost
       validateStatus: () => true,
-      // Disable SSL certificate validation for HTTPS requests
-      // This is acceptable for a testing/caching proxy
-      httpsAgent: new (require('node:https').Agent)({
-        rejectUnauthorized: false,
-      }),
     });
   }
 
EOF
@@ -89,11 +89,6 @@
// http status code. Please note that Axios creates a new error in such
// condition and the original low-level error is lost
validateStatus: () => true,
// Disable SSL certificate validation for HTTPS requests
// This is acceptable for a testing/caching proxy
httpsAgent: new (require('node:https').Agent)({
rejectUnauthorized: false,
}),
});
}

Copilot is powered by AI and may make mistakes. Always verify output.
}),
});
}

Expand Down