fix: replace vulnerable proxy dependency

Author: JackuB

package.json

@@ -86,6 +86,7 @@
     "configstore": "^5.0.1",
     "debug": "^4.1.1",
     "diff": "^4.0.1",
+    "global-agent": "^2.1.12",
     "hcl-to-json": "^0.1.1",
     "lodash.assign": "^4.2.0",
     "lodash.camelcase": "^4.3.0",
@@ -110,7 +111,6 @@
     "ora": "5.3.0",
     "os-name": "^3.0.0",
     "promise-queue": "^2.2.5",
-    "proxy-agent": "^3.1.1",
     "proxy-from-env": "^1.0.0",
     "rimraf": "^2.6.3",
     "semver": "^6.0.0",

src/lib/request/request.ts

@@ -5,7 +5,7 @@ import * as querystring from 'querystring';
 import * as zlib from 'zlib';
 import * as config from '../config';
 import { getProxyForUrl } from 'proxy-from-env';
-import * as ProxyAgent from 'proxy-agent';
+import { bootstrap } from 'global-agent';
 import * as analytics from '../analytics';
 import { Global } from '../../cli/args';
 import { Payload } from './types';
@@ -120,8 +120,9 @@ export = function makeRequest(
         const proxyUri = getProxyForUrl(url);
         if (proxyUri) {
           snykDebug('using proxy:', proxyUri);
-          // proxyAgent type is an EventEmitter and not an http Agent
-          options.agent = (new ProxyAgent(proxyUri) as unknown) as http.Agent;
+          bootstrap({
+            environmentVariableNamespace: '',
+          });
         } else {
           snykDebug('not using proxy');
         }

test/request.test.ts

@@ -283,11 +283,7 @@ test('request with https proxy calls needle as expected', (t) => {
             follow_max: 5, // default
             timeout: 300000, // default
             json: undefined, // default
-            agent: sinon.match({
-              proxy: sinon.match({
-                href: 'https://proxy:8443/', // should be set when using proxy
-              }),
-            }),
+            agent: sinon.match.truthy,
             rejectUnauthorized: undefined, // should not be set when not use insecure mode
           }),
           sinon.match.func, // callback function
@@ -335,11 +331,7 @@ test('request with http proxy calls needle as expected', (t) => {
             follow_max: 5, // default
             timeout: 300000, // default
             json: undefined, // default
-            agent: sinon.match({
-              proxy: sinon.match({
-                href: 'http://proxy:8080/', // should be set when using proxy
-              }),
-            }),
+            agent: sinon.match.truthy,
             rejectUnauthorized: undefined, // should not be set when not use insecure mode
           }),
           sinon.match.func, // callback function