search

crisp-im / node-crisp-api

:zap: Crisp API Node Wrapper
https://docs.crisp.chat/guides/rest-api/
MIT License
99 stars 39 forks source link

Updating critical vulnerability dependency #54

Closed Ericlm closed 1 year ago

Ericlm commented 1 year ago

When installing crisp-api (7.4.2), npm reported three critical vulnerabilities, like so:

# npm audit report

socket.io-parser  4.0.4 - 4.2.2
Severity: critical
Insufficient validation when decoding a Socket.IO packet - https://github.com/advisories/GHSA-qm95-pgcg-qqfq
Insufficient validation when decoding a Socket.IO packet - https://github.com/advisories/GHSA-cqmj-92xf-r6r9
fix available via `npm audit fix --force`
Will install crisp-api@5.1.0, which is a breaking change
node_modules/crisp-api/node_modules/socket.io-parser
  socket.io-client  1.0.0-pre - 1.0.1 || 4.3.0 - 4.4.1
  Depends on vulnerable versions of socket.io-parser
  node_modules/crisp-api/node_modules/socket.io-client
    crisp-api  >=5.2.0
    Depends on vulnerable versions of socket.io-client
    node_modules/crisp-api

3 critical severity vulnerabilities

It would be great if you could upgrade the dependencies 🙂

eliottvincent commented 1 year ago

Hey, I just released 8.0.3 which fixes this, thanks for reporting!