fix: https data in cleartext to proxy

[jasonsaayman]

Summary

Fixes HTTPS proxy handling so axios uses CONNECT tunnelling for HTTPS targets instead of forwarding request URLs, headers, and bodies to the proxy in plaintext.

Linked issue

Fixes #6320

Changes

• Adds https-proxy-agent and uses it in the Node HTTP adapter for automatic HTTPS CONNECT tunnelling through proxies.
• Keeps HTTP targets in forward-proxy mode while ensuring HTTPS proxy auth is sent only on the CONNECT request.
• Avoids stale tunnelling agent reuse across redirects and preserves custom httpsAgent opt-out behaviour.
• Updates README and THREATMODEL documentation for the proxy behaviour and new runtime dependency.
• Adds focused HTTP adapter tests for CONNECT tunnelling, proxy auth isolation, env proxy behaviour, and CONNECT 407 errors.

Checklist

• Tests added or updated
• Docs/types updated if public API changed (index.d.ts and index.d.cts)
• No breaking changes (or called out explicitly above)

---

Summary by cubic

Routes all https:// requests through CONNECT tunneling using https-proxy-agent so URLs, headers, and bodies never reach the proxy; keeps http:// in forward-proxy mode. Adds https-proxy-agent as a runtime dep and fixes #6320.

Description

• Uses HttpsProxyAgent to CONNECT-tunnel HTTPS targets; Proxy-Authorization is sent on CONNECT only.
• Keeps HTTP in forward-proxy mode; stamps Proxy-Authorization on the forwarded request; preserves a user Host.
• Honors proxy-from-env and NO_PROXY; works with HTTP/HTTPS proxies and IPv6 proxy hosts.
• Installs a tunneling agent unless the user supplies an HttpsProxyAgent; if a plain httpsAgent is provided, we still tunnel and forward its TLS options (CA, client certs, rejectUnauthorized) to the tunnel.
• Reuses tunneling agents per proxy; tags axios-installed tunnels so redirects can clear them without touching user agents; passes httpsAgent into redirect proxy setup; sets both options.agent and options.agents.https; forces ALPNProtocols=['http/1.1'] for HTTPS proxies.
• Surfaces CONNECT 407 as an AxiosError.
• Adds https-proxy-agent as a runtime dependency and internalizes it in the Node build.
• README and THREATMODEL updated for the behavior and new dependency.

Docs

Please update /docs/ to cover:

• HTTPS uses CONNECT tunneling; HTTP uses forward-proxy mode.
• Proxy-Authorization is on CONNECT only for HTTPS; never forwarded to origins.
• Host header is only relevant in forward-proxy mode (HTTP).
• To manage tunneling explicitly, supply your own HttpsProxyAgent; a plain httpsAgent will not disable tunneling.
• Note https-proxy-agent as a runtime dependency.

Testing

• Expanded tests/unit/adapters/http.test.js:
  • HTTP targets use forward-proxy (no CONNECT).
  • HTTPS targets tunnel via HTTP and HTTPS proxies; proxy sees no plaintext.
  • Proxy-Authorization only on CONNECT; never reaches origin.
  • Env vars honored; CONNECT 407 yields AxiosError.
  • Tunneling agent management: reuse per proxy, forward user httpsAgent TLS options, respect a user HttpsProxyAgent, clear axios-installed tunnels on redirects, handle IPv6 proxy hosts.

Semantic version impact

Patch: fixes HTTPS proxy behavior without changing the public API.

^{Written for commit 3a176fb. Summary will update on new commits.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​https-proxy-agent@​5.0.1

View full report

[jasonsaayman]

@cubic-dev-ai please review in depth!

[cubic-dev-ai]

@cubic-dev-ai please review in depth!

@jasonsaayman I have started the AI code review. It will take a few minutes to complete.