Skip to content

fork and maintain node-http-proxy / http-proxy #8324

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
williamstein opened this issue May 5, 2025 · 4 comments
Closed

fork and maintain node-http-proxy / http-proxy #8324

williamstein opened this issue May 5, 2025 · 4 comments
Labels
I-feature request P-blocker Critical -- Stop most things to fix upstream

Comments

@williamstein
Copy link
Contributor

williamstein commented May 5, 2025
edited
Loading

This is somewhat similar in spirit to to #8272

We use the node-http-proxy library for proxying, and have many years. Unfortunately, it's totally unmaintained now , despite having almost 15 million downloads a week. There's 106 open PR's and 509 open issues, and there was exactly one patch release in the last 10 years, over 4 years ago. From the issue tracker, it looks like there are no other similar libraries that handle websockets. Most interestingly, this PR fixes "a major memory leak" in websocket proxying. The leak wasn't a problem before node 15.6, but a change in nodejs around then broke things for all node versions thereafter. This one little bug known (with a fix) since 2021 has been significantly negatively impacting CoCalc since whenever we upgraded to Node 15.6.

JupyterHub also had the exact same problem: jupyterhub/configurable-http-proxy#434 They fixed it by using this fork:

https://github.com/Jimbly/http-proxy-node16

I just skimmed the source code of hub-proxy, and it's relatively small (e.g., ~500 SLOC total). Not surprisingly, there are many high security vulnerabilities in dependencies though. Since nobody else will properly maintain this package, when we get time we should fork it and maintain a package with up to date dependencies, and also cherry pick some of the fixes from the PR's. When we do, we should advertise our fork here:

http-party/node-http-proxy#1687

If we make a fork, it would also be good to welcome the JupyterHub devs to use it (and/or contribute).

Any suggestions for what to call such a fork?
@williamstein williamstein changed the title for node-proxy fork and maintain node-http-proxy / http-proxy May 5, 2025
@haraldschilly
Copy link
Contributor

There are also tickets about other types of leaks, e.g. http-party/node-http-proxy#1586

@haraldschilly
Copy link
Contributor

haraldschilly commented May 6, 2025
edited
Loading

Coming from this memory leak test example → I saw it uses a fork. So, maybe http-proxy-node16 is a good starting point for websocket related improvements. (npmjs)

@williamstein
Copy link
Contributor Author

williamstein commented May 6, 2025
edited
Loading

Started a rewrite here based on http-proxy-node16

https://github.com/sagemathinc/http-proxy-3

and

https://www.npmjs.com/package/http-proxy-3

This is certainly not ready for production or anything like that yet, because we need to rewrite the examples and tests and ensure they all work. But it does work for proxying jupyterlab and nats already in cocalc, which is a good sign.

@williamstein williamstein added the P-blocker Critical -- Stop most things to fix label May 7, 2025
This was referenced May 7, 2025
Closed
Merged
@williamstein
Copy link
Contributor Author

#8329

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
I-feature request P-blocker Critical -- Stop most things to fix upstream
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@haraldschilly @williamstein