Update dependency "follow-redirects" to mitigate CVE-2022-0536

[PersonMeetup]

Report at GHSA-pw2r-vq6v-hr8c

Recommend #1564 updates to 1.14.8 rather than 1.14.7

[fabiohaertel]

Need this too

Please update "follow-redirects" to >= 1.14.8
Refer this GHSA-pw2r-vq6v-hr8c

[Skrigueztep]

Need this too

[anand-gopinath]

Any updates on release?

[PersonMeetup]

Any updates on release?

Judging by it being nearly 2 years since I made this issue, I'm in agreeance with #1653 that this repo is unmaintained. Best option is to migrate away from this package if possible. I'll keep this issue open, even if all it serves as is a warning that this won't be solved anytime soon.

[fabiohaertel]

I sort of solved it by forcing npm to use the latest version through:

{ "overrides": { "follow-redirects": ">=1.15.4" } }

No side effects for me

[ryanomor]

{ "overrides": { "follow-redirects": ">=1.15.4" } }

@fabiohaertel Where are you adding the override? I was planning on adding it to my project's package.json like so:

"overrides": {
    "http-proxy": {
        "follow-redirects": ">=1.15.4"
    }
}

If I'm not mistaken, the way you have it written will bump the version of follow-redirects everywhere in your project, and not just within the http-proxy package. That may be fine, but just to limit the scope of change, I provided another solution above