search

feathersjs / feathers

The API and real-time application framework
https://feathersjs.com
MIT License
15.08k stars 750 forks source link

npm audit finds security issue in @feathersjs/socketio #2335

Closed paulh-adion closed 3 years ago

paulh-adion commented 3 years ago

Steps to reproduce

npm install @feathersjs/socketio npm audit

Expected behavior

npm audit finds 0 security vulnerabilities

Actual behavior

npm audit finds a security issue:

                       === npm audit security report ===

                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance

  High            Arbitrary Code Injection

  Package         xmlhttprequest-ssl

  Patched in      >=1.6.2

  Dependency of   @feathersjs/socketio

  Path            @feathersjs/socketio > socket.io > socket.io-client >
                  engine.io-client > xmlhttprequest-ssl

  More info       https://npmjs.com/advisories/1665

found 1 high severity vulnerability in 1 scanned packages
  1 vulnerability requires manual review. See the full report for details.

Module versions (especially the part that's not working): npm 6.14.9 @feathersjs/socketio 4.5.11

daffl commented 3 years ago

Unless socket.io fixes this in the 2.x version this can only be solved by upgrading to the Feathers 5 prerelease which is documented here.

paulh-adion commented 3 years ago

npm audit now suggests running the following command to resolve the vulnerability:

npm update engine.io-client --depth 4