search

RafalWilinski / express-status-monitor

🚀 Realtime Monitoring solution for Node.js/Express.js apps, inspired by status.github.com, sponsored by https://dynobase.dev
https://dynobase.dev/
MIT License
3.59k stars 253 forks source link

Critical security vulnerability #182

Open skhilliard opened 2 years ago

skhilliard commented 2 years ago

Any chance of updating the socket.io/socket.io-client to a newer version to eliminate this vulnerability?

express-status-monitor@1.3.3 ->socket.io@2.3.0 -> socket.io-client@2.3.0 -> engine.io-client@3.4.4 -> xmlhttprequest-ssl@1.5.5

https://github.com/advisories/GHSA-72mh-269x-7mh5

Thanks

lamweili commented 2 years ago

This is closed with the 1.3.4 release (https://github.com/RafalWilinski/express-status-monitor/commit/be7b8fcfc6d24a45fee9c0c815ec2636ee621cfb) as they have upgraded socket.io@2.3.0 to socket.io@2.4.1

Nevertheless, there is 1 outstanding security vulnerability, https://github.com/advisories/GHSA-j4f2-536g-r55m. express-status-monitor@1.3.4 > socket.io@2.4.1 > engine.io@3.5.0

This has been committed as https://github.com/RafalWilinski/express-status-monitor/commit/1a38ae56dfdb1808aa68ce196db008b28efce49f (or PR #188), upgraded socket.io@2.4.1 to socket.io@4.4.1, but yet to have a release.