High and medium vulnerabilities found in deps Engine.io + glob-parent.

mejiaj commented 3 years ago

Issue details

Snyk scan found the following vulnerabilities with dependencies.

✗ High severity vuln found in engine.io@3.5.0, introduced via browser-sync@2.26.14
    Description: Denial of Service (DoS)
    Info: https://snyk.io/vuln/SNYK-JS-ENGINEIO-1056749
    From: browser-sync@2.26.14 > socket.io@2.4.0 > engine.io@3.5.0

✗ Medium severity vuln found in glob-parent@5.1.1, introduced via browser-sync@2.26.14
    Description: Regular Expression Denial of Service (ReDoS)
    Info: https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
    From: browser-sync@2.26.14 > chokidar@3.5.1 > glob-parent@5.1.1

Steps to reproduce/test case

Please provide necessary steps for reproduction of this issue, or better the reduced test case (without any external dependencies).

Please specify which version of Browsersync, node and npm you're running

Browsersync [ 2.26.14 ]
Node [ 14.15.4 ]
Npm [ 6.14.9 ]

Affected platforms

[x] linux
[ ] windows
[ ] OS X
[ ] freebsd
[ ] solaris
[ ] other (please specify which)

Browsersync use-case

[ ] API
[x] Gulp
[ ] Grunt
[ ] CLI

If CLI, please paste the entire command below

N/A

for all other use-cases, (gulp, grunt etc), please show us exactly how you're using Browsersync

N/A

cronon commented 3 years ago

I see engine.io already patched their library, unfortunately the patch leads to breaking changes so they publish it in version 4 https://github.com/socketio/engine.io/issues/612

lachieh commented 2 years ago

This is the original issue, but #1850 has more details and more people are following it

BrowserSync / browser-sync