socket.io@2.4.1 has a security issue

appy-one / acebase-server

A fast, low memory, transactional, index & query enabled NoSQL database server for node.js that easily syncs with browser and node.js clients and servers

MIT License

32 stars 14 forks source link

socket.io@2.4.1 has a security issue #18

Closed andywillis closed 2 years ago

andywillis commented 2 years ago

acebase-server@1.10.0 requires engine.io@~3.5.0 via a transitive dependency on socket.io@2.4.1

The current version of socket.io is v4.5.0 which would probably fix it. YMMV tho.

Looking forward to using this for my new project. Good luck!

appy-one commented 2 years ago

Thanks Andy, I'll investigate this

appy-one commented 2 years ago

I've updated socket.io to v4.5 in this commit. I've briefly tested if it works with current clients that still use 2.x, appears to work. Will do some more testing next week. If you'd like to test yourself in the mean time, please do!

appy-one commented 2 years ago

I published v1.11.0 last week, which now uses Socket.IO v4.5. I thoroughly tested with current clients, let me know if you run into unexpected behavior.