obsolete socket.io contains a high severity vulnerability (Resource exhaustion in engine.io)

ffd8 / P5LIVE

p5.js collaborative live-coding vj environment!

https://p5live.org

GNU General Public License v3.0

229 stars 35 forks source link

obsolete socket.io contains a high severity vulnerability (Resource exhaustion in engine.io) #73

Open SableRaf opened 2 years ago

SableRaf commented 2 years ago

npm audit returns the following

# npm audit report

engine.io  <4.0.0
Severity: high
Resource exhaustion in engine.io  - https://github.com/advisories/GHSA-j4f2-536g-r55m
fix available via `npm audit fix --force`
Will install socket.io@4.4.1, which is a breaking change
node_modules/engine.io
  socket.io  1.0.0-pre - 2.4.1
  Depends on vulnerable versions of engine.io
  node_modules/socket.io

2 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

ffd8 commented 2 years ago

Hey @SableRaf - awesome and thanks for the heads up! Github shows me an issue with the marked.js lib that needs to be updated, but hadn't seen anything on this. Will add to que of next version update.