From 1ee08d8670fa655b395b1a25d95917627040fdb9 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 12 Mar 2026 22:25:57 +0000 Subject: [PATCH 1/7] Initial plan From aec709f22e7663c9cf88418974e851b607ee8498 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 12 Mar 2026 22:29:28 +0000 Subject: [PATCH 2/7] Initial plan for fixing issue #285 Co-authored-by: aviadhahami <7353632+aviadhahami@users.noreply.github.com> --- package-lock.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package-lock.json b/package-lock.json index 49a5ccc..65f791e 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "node-vault", - "version": "0.10.10", + "version": "0.11.0", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "node-vault", - "version": "0.10.10", + "version": "0.11.0", "license": "MIT", "dependencies": { "axios": "^1.13.6", From 2c361ccfcbbc4e55f7ba0f67f9576c7ebacb1505 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 12 Mar 2026 22:31:19 +0000 Subject: [PATCH 3/7] Fix backward-compatible TLS options in axios request wrapper Map postman-request-style TLS options (ca, cert, key, passphrase, pfx, agentOptions, strictSSL) from requestOptions to an httpsAgent for axios. Fixes #285 Co-authored-by: aviadhahami <7353632+aviadhahami@users.noreply.github.com> --- example/pass_request_options.js | 3 +- index.d.ts | 13 +++- src/index.js | 43 ++++++++++- test/unit.js | 130 ++++++++++++++++++++++++++++++++ 4 files changed, 184 insertions(+), 5 deletions(-) diff --git a/example/pass_request_options.js b/example/pass_request_options.js index c48b1a1..7452570 100644 --- a/example/pass_request_options.js +++ b/example/pass_request_options.js @@ -3,7 +3,8 @@ process.env.DEBUG = 'node-vault'; // switch on debug mode // Pass request options at initialization time. -// These options are forwarded to postman-request for every request. +// TLS options (ca, cert, key, passphrase, agentOptions) are mapped to an +// https.Agent and forwarded to axios for every request. const vault = require('./../src/index')({ requestOptions: { agentOptions: { diff --git a/index.d.ts b/index.d.ts index 9c24d5b..f5eb947 100644 --- a/index.d.ts +++ b/index.d.ts @@ -11,6 +11,17 @@ declare namespace NodeVault { [p: string]: any; } + /** Backward-compatible TLS options from the former request/postman-request API. */ + interface TlsOptions { + ca?: string | Buffer | Array; + cert?: string | Buffer | Array; + key?: string | Buffer | Array; + passphrase?: string; + pfx?: string | Buffer | Array; + strictSSL?: boolean; + agentOptions?: { [p: string]: any }; + } + interface RequestOption extends Option { path: string; method: string; @@ -149,7 +160,7 @@ declare namespace NodeVault { noCustomHTTPVerbs?: boolean; pathPrefix?: string; token?: string; - requestOptions?: AxiosRequestConfig; + requestOptions?: AxiosRequestConfig & TlsOptions; } } diff --git a/src/index.js b/src/index.js index fd3d43d..d4a4c56 100644 --- a/src/index.js +++ b/src/index.js @@ -43,18 +43,27 @@ module.exports = (config = {}) => { if (config['request-promise']) return config['request-promise'].defaults(rpDefaults); - const httpsAgent = rpDefaults.strictSSL === false - ? new https.Agent({ rejectUnauthorized: false }) + const baseAgentOptions = {}; + if (rpDefaults.strictSSL === false) { + baseAgentOptions.rejectUnauthorized = false; + } + + const defaultHttpsAgent = Object.keys(baseAgentOptions).length > 0 + ? new https.Agent(baseAgentOptions) : undefined; const instance = axios.create({ // Accept all HTTP status codes (equivalent to request's simple: false) // so that vault response handling logic can process non-2xx responses. validateStatus: () => true, - ...(httpsAgent ? { httpsAgent } : {}), + ...(defaultHttpsAgent ? { httpsAgent: defaultHttpsAgent } : {}), ...(rpDefaults.timeout ? { timeout: rpDefaults.timeout } : {}), }); + // Properties that map to https.Agent options for backward compatibility + // with the former postman-request / request library API. + const tlsOptionKeys = ['ca', 'cert', 'key', 'passphrase', 'pfx']; + return function requestWrapper(options) { const axiosOptions = { method: options.method, @@ -66,6 +75,34 @@ module.exports = (config = {}) => { axiosOptions.data = options.json; } + // Map request-style TLS options to a per-request httpsAgent + const perRequestAgentOpts = {}; + let hasPerRequestTls = false; + + tlsOptionKeys.forEach((prop) => { + if (options[prop] !== undefined) { + perRequestAgentOpts[prop] = options[prop]; + hasPerRequestTls = true; + } + }); + + if (options.agentOptions !== undefined) { + Object.assign(perRequestAgentOpts, options.agentOptions); + hasPerRequestTls = true; + } + + if (options.strictSSL !== undefined) { + perRequestAgentOpts.rejectUnauthorized = options.strictSSL !== false; + hasPerRequestTls = true; + } + + if (hasPerRequestTls) { + axiosOptions.httpsAgent = new https.Agent({ + ...baseAgentOptions, + ...perRequestAgentOpts, + }); + } + return instance(axiosOptions).then((response) => { let requestPath; try { diff --git a/test/unit.js b/test/unit.js index a43e90f..8248864 100644 --- a/test/unit.js +++ b/test/unit.js @@ -856,4 +856,134 @@ describe('node-vault', () => { }); }); }); + + describe('axios TLS options forwarding', () => { + const https = require('https'); + const axios = require('axios'); + let axiosInstanceStub; + let agentSpy; + + beforeEach(() => { + // Stub axios.create to return a controllable instance stub + axiosInstanceStub = sinon.stub().resolves({ + status: 200, + data: {}, + }); + sinon.stub(axios, 'create').returns(axiosInstanceStub); + agentSpy = sinon.spy(https, 'Agent'); + }); + + afterEach(() => { + sinon.restore(); + }); + + it('should create httpsAgent with ca option from config.requestOptions', () => { + const vault = index({ + endpoint: 'http://localhost:8200', + token: '123', + requestOptions: { + ca: 'my-custom-ca-cert', + }, + }); + return vault.read('secret/hello').then(() => { + agentSpy.should.have.been.called(); + const agentArgs = agentSpy.lastCall.args[0]; + expect(agentArgs).to.have.property('ca', 'my-custom-ca-cert'); + }); + }); + + it('should create httpsAgent with cert and key from config.requestOptions', () => { + const vault = index({ + endpoint: 'http://localhost:8200', + token: '123', + requestOptions: { + cert: 'client-cert', + key: 'client-key', + passphrase: 'secret', + }, + }); + return vault.read('secret/hello').then(() => { + agentSpy.should.have.been.called(); + const agentArgs = agentSpy.lastCall.args[0]; + expect(agentArgs).to.have.property('cert', 'client-cert'); + expect(agentArgs).to.have.property('key', 'client-key'); + expect(agentArgs).to.have.property('passphrase', 'secret'); + }); + }); + + it('should create httpsAgent from agentOptions in config.requestOptions', () => { + const vault = index({ + endpoint: 'http://localhost:8200', + token: '123', + requestOptions: { + agentOptions: { + securityOptions: 'SSL_OP_NO_SSLv3', + cert: 'agent-cert', + }, + }, + }); + return vault.read('secret/hello').then(() => { + agentSpy.should.have.been.called(); + const agentArgs = agentSpy.lastCall.args[0]; + expect(agentArgs).to.have.property('securityOptions', 'SSL_OP_NO_SSLv3'); + expect(agentArgs).to.have.property('cert', 'agent-cert'); + }); + }); + + it('should allow per-call TLS options to override config.requestOptions', () => { + const vault = index({ + endpoint: 'http://localhost:8200', + token: '123', + requestOptions: { + ca: 'default-ca', + }, + }); + return vault.read('secret/hello', { ca: 'override-ca' }).then(() => { + agentSpy.should.have.been.called(); + const agentArgs = agentSpy.lastCall.args[0]; + expect(agentArgs).to.have.property('ca', 'override-ca'); + }); + }); + + it('should not create per-request httpsAgent when no TLS options are present', () => { + const vault = index({ + endpoint: 'http://localhost:8200', + token: '123', + }); + return vault.read('secret/hello').then(() => { + const axiosCallArg = axiosInstanceStub.firstCall.args[0]; + expect(axiosCallArg).to.not.have.property('httpsAgent'); + }); + }); + + it('should pass httpsAgent to axios per-request options', () => { + const vault = index({ + endpoint: 'http://localhost:8200', + token: '123', + requestOptions: { + ca: 'my-ca', + }, + }); + return vault.read('secret/hello').then(() => { + const axiosCallArg = axiosInstanceStub.firstCall.args[0]; + expect(axiosCallArg).to.have.property('httpsAgent'); + expect(axiosCallArg.httpsAgent).to.be.an.instanceOf(https.Agent); + }); + }); + + it('should handle strictSSL: false in requestOptions', () => { + const vault = index({ + endpoint: 'http://localhost:8200', + token: '123', + requestOptions: { + strictSSL: false, + }, + }); + return vault.read('secret/hello').then(() => { + agentSpy.should.have.been.called(); + const agentArgs = agentSpy.lastCall.args[0]; + expect(agentArgs).to.have.property('rejectUnauthorized', false); + }); + }); + }); }); From fc25591b6735d284d74187d9243391757215b9e0 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 12 Mar 2026 22:34:31 +0000 Subject: [PATCH 4/7] Optimize TLS agent caching: reuse init-time agent, per-request only on override Address code review feedback: config.requestOptions TLS settings are now baked into the default httpsAgent at initialization time. Per-request agents are only created when per-call TLS options differ from the config defaults. Co-authored-by: aviadhahami <7353632+aviadhahami@users.noreply.github.com> --- src/index.js | 58 ++++++++++++++++++++++++++++++++++--------- test/unit.js | 70 ++++++++++++++++++++++++++-------------------------- 2 files changed, 81 insertions(+), 47 deletions(-) diff --git a/src/index.js b/src/index.js index d4a4c56..a4546a3 100644 --- a/src/index.js +++ b/src/index.js @@ -48,8 +48,33 @@ module.exports = (config = {}) => { baseAgentOptions.rejectUnauthorized = false; } - const defaultHttpsAgent = Object.keys(baseAgentOptions).length > 0 - ? new https.Agent(baseAgentOptions) + // Properties that map to https.Agent options for backward compatibility + // with the former postman-request / request library API. + const tlsOptionKeys = ['ca', 'cert', 'key', 'passphrase', 'pfx']; + + // Build the default agent from base options + config.requestOptions TLS + // settings so the common case (no per-call overrides) reuses one agent. + const configReqOpts = config.requestOptions || {}; + const defaultAgentOpts = { ...baseAgentOptions }; + let hasDefaultTls = Object.keys(baseAgentOptions).length > 0; + + tlsOptionKeys.forEach((prop) => { + if (configReqOpts[prop] !== undefined) { + defaultAgentOpts[prop] = configReqOpts[prop]; + hasDefaultTls = true; + } + }); + if (configReqOpts.agentOptions !== undefined) { + Object.assign(defaultAgentOpts, configReqOpts.agentOptions); + hasDefaultTls = true; + } + if (configReqOpts.strictSSL !== undefined) { + defaultAgentOpts.rejectUnauthorized = configReqOpts.strictSSL !== false; + hasDefaultTls = true; + } + + const defaultHttpsAgent = hasDefaultTls + ? new https.Agent(defaultAgentOpts) : undefined; const instance = axios.create({ @@ -60,9 +85,17 @@ module.exports = (config = {}) => { ...(rpDefaults.timeout ? { timeout: rpDefaults.timeout } : {}), }); - // Properties that map to https.Agent options for backward compatibility - // with the former postman-request / request library API. - const tlsOptionKeys = ['ca', 'cert', 'key', 'passphrase', 'pfx']; + // Snapshot config-level TLS references so we can detect per-call overrides. + const configTlsSnapshot = {}; + tlsOptionKeys.forEach((prop) => { + if (configReqOpts[prop] !== undefined) configTlsSnapshot[prop] = configReqOpts[prop]; + }); + if (configReqOpts.agentOptions !== undefined) { + configTlsSnapshot.agentOptions = configReqOpts.agentOptions; + } + if (configReqOpts.strictSSL !== undefined) { + configTlsSnapshot.strictSSL = configReqOpts.strictSSL; + } return function requestWrapper(options) { const axiosOptions = { @@ -75,30 +108,31 @@ module.exports = (config = {}) => { axiosOptions.data = options.json; } - // Map request-style TLS options to a per-request httpsAgent + // Only create a per-request httpsAgent when per-call TLS options + // differ from the config defaults already baked into the instance. + let hasOverride = false; const perRequestAgentOpts = {}; - let hasPerRequestTls = false; tlsOptionKeys.forEach((prop) => { if (options[prop] !== undefined) { perRequestAgentOpts[prop] = options[prop]; - hasPerRequestTls = true; + if (options[prop] !== configTlsSnapshot[prop]) hasOverride = true; } }); if (options.agentOptions !== undefined) { Object.assign(perRequestAgentOpts, options.agentOptions); - hasPerRequestTls = true; + if (options.agentOptions !== configTlsSnapshot.agentOptions) hasOverride = true; } if (options.strictSSL !== undefined) { perRequestAgentOpts.rejectUnauthorized = options.strictSSL !== false; - hasPerRequestTls = true; + if (options.strictSSL !== configTlsSnapshot.strictSSL) hasOverride = true; } - if (hasPerRequestTls) { + if (hasOverride) { axiosOptions.httpsAgent = new https.Agent({ - ...baseAgentOptions, + ...defaultAgentOpts, ...perRequestAgentOpts, }); } diff --git a/test/unit.js b/test/unit.js index 8248864..20adcfa 100644 --- a/test/unit.js +++ b/test/unit.js @@ -861,6 +861,7 @@ describe('node-vault', () => { const https = require('https'); const axios = require('axios'); let axiosInstanceStub; + let axiosCreateStub; let agentSpy; beforeEach(() => { @@ -869,7 +870,7 @@ describe('node-vault', () => { status: 200, data: {}, }); - sinon.stub(axios, 'create').returns(axiosInstanceStub); + axiosCreateStub = sinon.stub(axios, 'create').returns(axiosInstanceStub); agentSpy = sinon.spy(https, 'Agent'); }); @@ -877,23 +878,22 @@ describe('node-vault', () => { sinon.restore(); }); - it('should create httpsAgent with ca option from config.requestOptions', () => { - const vault = index({ + it('should create default httpsAgent with ca option from config.requestOptions', () => { + index({ endpoint: 'http://localhost:8200', token: '123', requestOptions: { ca: 'my-custom-ca-cert', }, }); - return vault.read('secret/hello').then(() => { - agentSpy.should.have.been.called(); - const agentArgs = agentSpy.lastCall.args[0]; - expect(agentArgs).to.have.property('ca', 'my-custom-ca-cert'); - }); + agentSpy.should.have.been.called(); + const agentArgs = agentSpy.lastCall.args[0]; + expect(agentArgs).to.have.property('ca', 'my-custom-ca-cert'); + expect(axiosCreateStub.lastCall.args[0]).to.have.property('httpsAgent'); }); - it('should create httpsAgent with cert and key from config.requestOptions', () => { - const vault = index({ + it('should create default httpsAgent with cert and key from config.requestOptions', () => { + index({ endpoint: 'http://localhost:8200', token: '123', requestOptions: { @@ -902,17 +902,15 @@ describe('node-vault', () => { passphrase: 'secret', }, }); - return vault.read('secret/hello').then(() => { - agentSpy.should.have.been.called(); - const agentArgs = agentSpy.lastCall.args[0]; - expect(agentArgs).to.have.property('cert', 'client-cert'); - expect(agentArgs).to.have.property('key', 'client-key'); - expect(agentArgs).to.have.property('passphrase', 'secret'); - }); + agentSpy.should.have.been.called(); + const agentArgs = agentSpy.lastCall.args[0]; + expect(agentArgs).to.have.property('cert', 'client-cert'); + expect(agentArgs).to.have.property('key', 'client-key'); + expect(agentArgs).to.have.property('passphrase', 'secret'); }); - it('should create httpsAgent from agentOptions in config.requestOptions', () => { - const vault = index({ + it('should create default httpsAgent from agentOptions in config.requestOptions', () => { + index({ endpoint: 'http://localhost:8200', token: '123', requestOptions: { @@ -922,12 +920,10 @@ describe('node-vault', () => { }, }, }); - return vault.read('secret/hello').then(() => { - agentSpy.should.have.been.called(); - const agentArgs = agentSpy.lastCall.args[0]; - expect(agentArgs).to.have.property('securityOptions', 'SSL_OP_NO_SSLv3'); - expect(agentArgs).to.have.property('cert', 'agent-cert'); - }); + agentSpy.should.have.been.called(); + const agentArgs = agentSpy.lastCall.args[0]; + expect(agentArgs).to.have.property('securityOptions', 'SSL_OP_NO_SSLv3'); + expect(agentArgs).to.have.property('cert', 'agent-cert'); }); it('should allow per-call TLS options to override config.requestOptions', () => { @@ -939,7 +935,11 @@ describe('node-vault', () => { }, }); return vault.read('secret/hello', { ca: 'override-ca' }).then(() => { - agentSpy.should.have.been.called(); + // Per-call override creates a new per-request agent + const axiosCallArg = axiosInstanceStub.firstCall.args[0]; + expect(axiosCallArg).to.have.property('httpsAgent'); + expect(axiosCallArg.httpsAgent).to.be.an.instanceOf(https.Agent); + // The last agent created should have the override value const agentArgs = agentSpy.lastCall.args[0]; expect(agentArgs).to.have.property('ca', 'override-ca'); }); @@ -956,7 +956,7 @@ describe('node-vault', () => { }); }); - it('should pass httpsAgent to axios per-request options', () => { + it('should reuse default httpsAgent when config TLS options are unchanged', () => { const vault = index({ endpoint: 'http://localhost:8200', token: '123', @@ -964,26 +964,26 @@ describe('node-vault', () => { ca: 'my-ca', }, }); + const agentCountAfterInit = agentSpy.callCount; return vault.read('secret/hello').then(() => { + // No new agent should be created for request with same config options const axiosCallArg = axiosInstanceStub.firstCall.args[0]; - expect(axiosCallArg).to.have.property('httpsAgent'); - expect(axiosCallArg.httpsAgent).to.be.an.instanceOf(https.Agent); + expect(axiosCallArg).to.not.have.property('httpsAgent'); + expect(agentSpy.callCount).to.equal(agentCountAfterInit); }); }); it('should handle strictSSL: false in requestOptions', () => { - const vault = index({ + index({ endpoint: 'http://localhost:8200', token: '123', requestOptions: { strictSSL: false, }, }); - return vault.read('secret/hello').then(() => { - agentSpy.should.have.been.called(); - const agentArgs = agentSpy.lastCall.args[0]; - expect(agentArgs).to.have.property('rejectUnauthorized', false); - }); + agentSpy.should.have.been.called(); + const agentArgs = agentSpy.lastCall.args[0]; + expect(agentArgs).to.have.property('rejectUnauthorized', false); }); }); }); From 26d575d725a69b9b7b74e5f63dd79ad4f7a88947 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 12 Mar 2026 22:40:11 +0000 Subject: [PATCH 5/7] Forward timeout, httpsAgent, httpAgent from requestOptions; fix stale docs - Forward timeout, httpsAgent, httpAgent from requestOptions to axios per-request options (the README bastion host example now works) - Update README: replace stale postman-request reference with axios - Fix example/auth.js: remove silently-ignored followAllRedirects - Add 3 new tests for timeout, httpsAgent, httpAgent forwarding Co-authored-by: aviadhahami <7353632+aviadhahami@users.noreply.github.com> --- README.md | 8 ++++---- example/auth.js | 8 +++----- index.d.ts | 1 + src/index.js | 11 +++++++++++ test/unit.js | 45 +++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 64 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 608dcae..d2a02d8 100644 --- a/README.md +++ b/README.md @@ -251,10 +251,10 @@ const vault = require('node-vault')({ }); ``` -The `requestOptions` object is passed through to the underlying HTTP library -([postman-request](https://www.npmjs.com/package/postman-request)) for every request. You can -use it to configure any supported request option, including `agentOptions`, custom `headers`, -or a custom `agent`. +The `requestOptions` object supports TLS/SSL options (`ca`, `cert`, `key`, `passphrase`, +`agentOptions`, `strictSSL`) as well as `timeout`, `httpsAgent`, and `httpAgent`. TLS options +are mapped to an `https.Agent` and applied to every request. You can also pass native +[axios](https://axios-http.com/) request options such as custom `headers`. You can also pass request options per-call to any method: diff --git a/example/auth.js b/example/auth.js index 03b8149..96d32ed 100644 --- a/example/auth.js +++ b/example/auth.js @@ -4,11 +4,9 @@ process.env.DEBUG = 'node-vault'; // switch on debug mode const vault = require('./../src/index')(); -const options = { - requestOptions: { - followAllRedirects: true, - }, -}; +// Note: axios follows redirects by default (up to 5). +// Use maxRedirects in requestOptions to customise this behaviour. +const options = {}; vault.auths(options) .then(console.log) diff --git a/index.d.ts b/index.d.ts index f5eb947..0a0d2fa 100644 --- a/index.d.ts +++ b/index.d.ts @@ -20,6 +20,7 @@ declare namespace NodeVault { pfx?: string | Buffer | Array; strictSSL?: boolean; agentOptions?: { [p: string]: any }; + timeout?: number; } interface RequestOption extends Option { diff --git a/src/index.js b/src/index.js index a4546a3..923b7ba 100644 --- a/src/index.js +++ b/src/index.js @@ -108,6 +108,14 @@ module.exports = (config = {}) => { axiosOptions.data = options.json; } + // Forward axios-native options when provided directly. + if (options.timeout !== undefined) { + axiosOptions.timeout = options.timeout; + } + if (options.httpAgent !== undefined) { + axiosOptions.httpAgent = options.httpAgent; + } + // Only create a per-request httpsAgent when per-call TLS options // differ from the config defaults already baked into the instance. let hasOverride = false; @@ -135,6 +143,9 @@ module.exports = (config = {}) => { ...defaultAgentOpts, ...perRequestAgentOpts, }); + } else if (options.httpsAgent !== undefined) { + // Allow passing a pre-built httpsAgent directly (e.g. for proxies). + axiosOptions.httpsAgent = options.httpsAgent; } return instance(axiosOptions).then((response) => { diff --git a/test/unit.js b/test/unit.js index 20adcfa..0d8ea08 100644 --- a/test/unit.js +++ b/test/unit.js @@ -985,5 +985,50 @@ describe('node-vault', () => { const agentArgs = agentSpy.lastCall.args[0]; expect(agentArgs).to.have.property('rejectUnauthorized', false); }); + + it('should forward timeout from requestOptions to axios', () => { + const vault = index({ + endpoint: 'http://localhost:8200', + token: '123', + requestOptions: { + timeout: 5000, + }, + }); + return vault.read('secret/hello').then(() => { + const axiosCallArg = axiosInstanceStub.firstCall.args[0]; + expect(axiosCallArg).to.have.property('timeout', 5000); + }); + }); + + it('should forward httpsAgent from requestOptions to axios', () => { + const customAgent = new https.Agent({ rejectUnauthorized: false }); + const vault = index({ + endpoint: 'http://localhost:8200', + token: '123', + requestOptions: { + httpsAgent: customAgent, + }, + }); + return vault.read('secret/hello').then(() => { + const axiosCallArg = axiosInstanceStub.firstCall.args[0]; + expect(axiosCallArg).to.have.property('httpsAgent', customAgent); + }); + }); + + it('should forward httpAgent from requestOptions to axios', () => { + const http = require('http'); + const customAgent = new http.Agent(); + const vault = index({ + endpoint: 'http://localhost:8200', + token: '123', + requestOptions: { + httpAgent: customAgent, + }, + }); + return vault.read('secret/hello').then(() => { + const axiosCallArg = axiosInstanceStub.firstCall.args[0]; + expect(axiosCallArg).to.have.property('httpAgent', customAgent); + }); + }); }); }); From d43735a6f143abdc3ae7ca25250becf24ba67474 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 12 Mar 2026 22:41:48 +0000 Subject: [PATCH 6/7] Fix CodeQL alert in test: use keepAlive instead of rejectUnauthorized Co-authored-by: aviadhahami <7353632+aviadhahami@users.noreply.github.com> --- test/unit.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/unit.js b/test/unit.js index 0d8ea08..e214419 100644 --- a/test/unit.js +++ b/test/unit.js @@ -1001,7 +1001,7 @@ describe('node-vault', () => { }); it('should forward httpsAgent from requestOptions to axios', () => { - const customAgent = new https.Agent({ rejectUnauthorized: false }); + const customAgent = new https.Agent({ keepAlive: true }); const vault = index({ endpoint: 'http://localhost:8200', token: '123', From 8c237010c6f83d85d0fe5549675eb41ef9e0075f Mon Sep 17 00:00:00 2001 From: Aviad Hahami Date: Fri, 13 Mar 2026 00:51:32 +0200 Subject: [PATCH 7/7] Bump version to 0.11.1 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index cd9dce7..dfd6e7f 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "node-vault", - "version": "0.11.0", + "version": "0.11.1", "description": "Javascript client for HashiCorp's Vault", "main": "./src/index.js", "scripts": {