Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issue for socket.io dependency #1850

Closed
6 tasks done
KirilVandov opened this issue Feb 22, 2021 · 7 comments · Fixed by #1936
Closed
6 tasks done

Security issue for socket.io dependency #1850

KirilVandov opened this issue Feb 22, 2021 · 7 comments · Fixed by #1936

Comments

@KirilVandov
Copy link

Issue details

There is a security issue with the current version of socket.io
https://www.npmjs.com/advisories/1609

The advisory from npm is to "Update to version 2.4.0 or later."

Steps to reproduce/test case

Simply npm install and you will get the security issue reported
https://www.npmjs.com/advisories/1609

Please specify which version of Browsersync, node and npm you're running

  • Browsersync [ X ]
  • Node [ ]
  • Npm [ ]

Affected platforms

  • linux
  • windows
  • OS X
  • freebsd
  • solaris
  • other (please specify which)
@abbyblachman
Copy link

+1

@mef
Copy link

mef commented Mar 19, 2021

The latest version of browser-sync already uses socket.io v2.4.0 (source), you might want to update browser-sync in your app.

@casingh1990
Copy link

Please see

I think based on these we may need to consider:

  • engine.io 4+
  • socket.io-parser 3.4.1+

@rishi241424
Copy link

My browser-synch version is 2.26.14 (latest version), but still my my scan reports says HIGH Serverity for this engine and socket packages.
engine.io:3.5.0
socket.io-parser:3.3.2

@lachieh
Copy link
Contributor

lachieh commented Feb 24, 2022
edited
Loading

There are a number of issues that keep getting created for this security warning. What is required to get the updated socket.io package merged?

This was referenced Feb 24, 2022
Closed
Closed
Closed
Closed
Closed
Merged
@zachleat zachleat mentioned this issue Feb 28, 2022
Closed
@abbyblachman
Copy link

+1

@stratboy
Copy link

stratboy commented Mar 4, 2022

Same problem here

This was referenced Mar 13, 2022
Merged
Merged
Merged
Merged
Closed
Merged
Open
Merged
Open
Merged
Merged
Merged
Open
Merged
Merged
This was referenced Apr 4, 2022
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
This was referenced Apr 18, 2022
Merged
Merged
Merged
Merged
This was referenced Apr 19, 2022
Open
Open
Open
This was referenced Apr 24, 2022
Merged
Open
Open
Open
Open
Open
Merged
@mend-for-github-com mend-for-github-com bot mentioned this issue May 2, 2022
Open
1 task
This was referenced May 2, 2022
Closed
Merged
@moul-bot moul-bot mentioned this issue Oct 2, 2022
Closed
This was referenced Oct 31, 2022
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Upgrade to latest version of socket.io due to security vulnerability
7 participants
@stratboy @mef @lachieh @KirilVandov @casingh1990 @abbyblachman @rishi241424