13 vulnerabilities found in 59 packages

[stuk88]

Snyk test report for sails found 13 vulnerabilities found in 59 packages
https://snyk.io/test/npm/sails

[sgress454]

This is awesome, thanks! We'll run it on the upcoming v0.12.x release, I think some of these issues have been fixed (the Express version, for example).

[mikermcneil]

@stuk88 Thanks for posting. If we're able to isolate any of these issues in 0.11, we'll also release a patch. For future reference, please review our vulnerability disclosure guide for the appropriate way of reporting a suspected security issue.

[mikermcneil]

Ok, so Socket.io 1.4.0 which was just released fixes two of these issues: socketio/socket.io#2327 (comment)

[mikermcneil]

If express-handlebars is not upgraded in the next couple of days (see ericf/express-handlebars#142 (comment)), we'll include a conditional warning in core that displays if you're using handlebars about that potential vulnerability.

[RWOverdijk]

Well done :)

[sgress454]

I added a warning that displays if you're using handlebars < 4. If/when express-handlebars update drops, the warning should go away after the end user does an npm update. ff56838

[sgress454]

Ok, v0.11.4 is out which addresses most of the vulnerabilities. The only relevant remaining ones are express-handlebars and sails-hook-sockets, because the socket.io-client update failed to update the underlying engine.io dependency. Once that gets done, I'll bump sails-hook-sockets again. Unfortunately the 1.3.7->1.4.0 update had some breaking changes for us that have been fixed, but it means that to play on the safe side I had to peg the versions at 1.4.0. So, when the next update to socket.io-client comes out I'll bump the version in sails-hook-sockets again, and all should be right with the world. Whew.

The remaining vulnerabilities don't have direct remedies, but they also only affect grunt, so they should never be an issue in a production environment.

[mikermcneil]

👍 @sgress454 💧 ⚡

To add a bit more color: As @sgress454 pointed out, with the exception of the socket.io-client thing (which @rauchg is on top of) the remaining vulnerabilities not addressed by 0.11.4 are from grunt-contrib-watch (which is only used in development) and express-handlebars (for which we've added a warning).

I'll leave this issue open until the socket.io-client dep is updated (we'll just need to make a change to the generator).

@stuk88 thanks again!

[jasalazar]

Hello everyone, i am starting the Sails way and it's awesome!

How can i update to this release on my current Sails project?

Thanks a lot!

[mikermcneil]

@jasalazar you can update by running npm install sails@latest --force --save. Hope that helps!

[mikermcneil]

Update: Guillermo patched socket.io-client and socket.io for everyone last night. We'll bump the generators today, and the do another patch to sails-hook-sockets to bump the deps once we've had a chance to do some more in-depth testing (likely tomorrow or Monday -- the only thing that will be affected in the mean time are the integration tests therein)

[mikermcneil]

update https://github.com/socketio/socket.io/releases/tag/1.4.3 should do the trick

[sgress454]

We're all set with sails-hook-sockets, sails.io.js and sails-generate-sails.io.js updated to use the latest versions of socket.io and socket.io-client (v1.4.3). I've left the dependencies as ~1.4.3 ranges in case any more updates are pushed out. Thanks everyone for the support on this! We're subscribed to the Github issue for the express-handlebars update, so when that's patched (hopefully soon) we'll be notified and will be able to update Sails accordingly.

[mikermcneil]

We're subscribed to the Github issue for the express-handlebars update, so when that's patched (hopefully soon) we'll be notified and will be able to update Sails accordingly.

To add to this, the express-handlebars dependency is only actually used in Sails core if you change the default view engine from ejs to handlebars (it's included to make it easier for folks using handlebars to take advantage of layouts and partials).