Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resource exhaustion in engine.io dependency from npm audit #1926

Closed
zachleat opened this issue Feb 10, 2022 · 2 comments · Fixed by #1936
Closed

Resource exhaustion in engine.io dependency from npm audit #1926

zachleat opened this issue Feb 10, 2022 · 2 comments · Fixed by #1936

Comments

@zachleat
Copy link

Report at GHSA-j4f2-536g-r55m

https://www.npmjs.com/package/socket.io is currently at 4.4.x but this package is using 2.4.x

browser-sync/packages/browser-sync/package.json

Line 63 in a7c14c8

"socket.io": "2.4.0",

@zachleat zachleat mentioned this issue Feb 10, 2022
Closed
@ludofischer
Copy link

According to the migration guides, it would be possible to upgrade the server to 4 while maintaining compatibility with 2.x clients, so keeping the same supported browsers as before. Don't know if that's worth attempting as they mention only dropping support for IE 8.

@lachieh
Copy link
Contributor

lachieh commented Feb 24, 2022

Duplicate issue. See #1850 for original.

@lachieh lachieh mentioned this issue Feb 24, 2022
Merged
This was referenced Mar 13, 2022
Merged
Merged
Merged
Merged
Closed
Merged
Open
Merged
Open
Merged
Merged
Merged
Open
Merged
Merged
Open
Merged
Open
Merged
Merged
Merged
Open
Open
Open
Merged
This was referenced Apr 4, 2022
Merged
Merged
Merged
Merged
Merged
Merged
Merged
This was referenced Apr 18, 2022
Merged
Merged
Merged
Merged
This was referenced Apr 19, 2022
Open
Open
Open
This was referenced Apr 24, 2022
Merged
Open
Open
Open
Open
Open
Merged
@mend-for-github-com mend-for-github-com bot mentioned this issue May 2, 2022
Open
1 task
This was referenced May 2, 2022
Closed
Merged
@moul-bot moul-bot mentioned this issue Oct 2, 2022
Closed
@asbhogal asbhogal mentioned this issue Oct 22, 2022
Closed
This was referenced Oct 31, 2022
Merged
Merged
@q1blue q1blue mentioned this issue Feb 7, 2024
Open
@renovate renovate bot mentioned this issue Sep 4, 2024
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Upgrade to latest version of socket.io due to security vulnerability
3 participants
@zachleat @ludofischer @lachieh