search

RafalWilinski / express-status-monitor

🚀 Realtime Monitoring solution for Node.js/Express.js apps, inspired by status.github.com, sponsored by https://dynobase.dev
https://dynobase.dev/
MIT License
3.6k stars 257 forks source link

Security Vulnerability in serveral package dependencies WS, Negotiator #58

Closed idanielsteven closed 7 years ago

idanielsteven commented 8 years ago

NSP found these packages need to be moved from/to to fix security vulnerabilties

WS from 1.1.0 to 1.1.1 (patch fix) Module ws has a known vulnerability: "DoS due to excessively large websocket message"

Negotiator from 0.4.9 to 0.6.1 (patch fix) ISSUE: Module negotiator has a known vulnerability: "Regular Expression Denial of Service"

RafalWilinski commented 8 years ago

I feel like it's not actionable for now, it's socket.io issue. I've added Snyk to watch these vulnerabilities regularly.

idanielsteven commented 8 years ago

I opened an issue on Socket.IO's git/issues. I'll keep you apprised of a potential fix/release.

RafalWilinski commented 7 years ago

This should resolve the problem: https://github.com/RafalWilinski/express-status-monitor/pull/62/files