Is it possible to update dependency to remove the vulnerability CVE-2020-36048? #4047
Labels
bug
Something isn't working
Comments
|
@evansrobert please see my answer here: socketio/engine.io#612 (comment) |
|
@darrachequesne Thanks for your answer. |
|
Closed due to inactivity, please reopen if needed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Subject of the issue
[email protected] requires [email protected], which has a security problem(high severity) (see: CVE-2020-36048):
[email protected] ➔ [email protected]I do not know if this vulnerability actually affects socket.io, but it will show up in security reports about dependencies. Since a large number of developers still use [email protected].*(1,762,377 downloads per week), is there any posibility that you could release an update version for 2.4.* (ie 2.4.2) that introduces a patched version(>=4.0.0) of engine.io?
In [email protected], maybe you can perform the following update:
engine.io ~3.5.0 ➔ ~4.0.0where [email protected](>=4.0.0) has fixed the vulnerability CVE-2020-36048.
The text was updated successfully, but these errors were encountered: