Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix!: stop ignoring NODE_TLS_REJECT_UNAUTHORIZED when strictSSL is not defined #316

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix!: stop ignoring NODE_TLS_REJECT_UNAUTHORIZED when strictSSL is not defined #316

wants to merge 1 commit into from
+30 −1

Conversation

brunoargolo
Copy link

@brunoargolo brunoargolo commented Sep 19, 2024
edited by wraithgar
Loading

BREAKING CHANGE: the NODE_TLS_REJECT_UNAUTHORIZED environment variable is no longer being ignored if strictSSL is not defined

Currently NODE_TLS_REJECT_UNAUTHORIZED is simply ignored as options.rejectUnauthorized is always set to false when strictSSL is not defined.

Most notably this causes issues for users behind corporate proxies using npm and pnpm when installing a package that uses node-gyp. Example: nodejs/node-gyp#2663

This change only takes into account NODE_TLS_REJECT_UNAUTHORIZED when strictSSL is not passed to fetch.

unit tests were added to ensure strictSSL is still the primary driver.

@brunoargolo brunoargolo requested a review from a team as a code owner September 19, 2024 19:16
@brunoargolo brunoargolo mentioned this pull request Sep 19, 2024
Open
@wraithgar
Copy link
Member

This was brought up before in #257. Given its use in node-gyp it makes sense to revisit though.

Is this a breaking change?

@brunoargolo
Copy link
Author

Hey @wraithgar, confirming this is a non-breaking change.
The behaviour is only modified if NODE_TLS_REJECT_UNAUTHORIZED is set AND the fetch function caller has not specified the strictSSL param (undefined or null).
I've included new unit tests to cover scenarios when the env variable is set.

@brunoargolo brunoargolo mentioned this pull request Sep 26, 2024
Open
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 16, 2024
View reviewed changes
test/options.js Dismissed Show dismissed Hide dismissed
@wraithgar wraithgar changed the title follow NODE_TLS_REJECT_UNAUTHORIZED when strictSSL is not defined fix: stop ignoring NODE_TLS_REJECT_UNAUTHORIZED when strictSSL is not defined Oct 16, 2024
@wraithgar wraithgar changed the title fix: stop ignoring NODE_TLS_REJECT_UNAUTHORIZED when strictSSL is not defined fix!: stop ignoring NODE_TLS_REJECT_UNAUTHORIZED when strictSSL is not defined Oct 16, 2024
This was referenced Oct 16, 2024
Open
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@brunoargolo @wraithgar