Closed pedrosanta closed 2 years ago
Upon closer inspection, I've noticed that Node.js http2
module only became stable from v10.10.0
onwards.
And since grunt-contrib-connect supports Node.js versions 10 or greater ("engines": { "node": ">=10" }
) it supports all versions of 10.x
release, including earlier ones where the http2 module was still experimental API.
So, from my POV, unless the supported node versions were updated (and thus triggering a major version bump on grunt-contrib-connect to 4.0.0
) we should not move/upgrade to Node.js http2
module.
Which is kinda unfortunate because:
node-http2
repository (which was itself a fork of https://github.com/molnarg/node-http2 / http2
npm package, which since went seemingly unpublished too) was deleted/is nowhere to be found (see here: https://www.npmjs.com/package/node-http2) so one can't submit Issues or PRs to fix the security vulnerability that the latest node-http2
release/version (4.0.1
) has.node-http2 4.0.1
depends on "websocket-stream": "^5.0.1"
which depends (even on latest version/release 5.4.0
) on "ws": "^3.2.0"
, which has a security vulnerability: https://github.com/advisories/GHSA-6fc8-4gx4-v693 (I've created the https://github.com/maxogden/websocket-stream/issues/162 issue to track this).http2
module ready to go at https://github.com/pedrosanta/grunt-contrib-connect/tree/http2-update.But again, from my POV:
websocket-stream
upgrade their ws
dependency.PS: Meanwhile I'll update this issue to reference/track the security vulnerability in the first place, moreso than moving to http2
module, etc.
Closing in favor of #270.
Hi,
As I've commented on https://github.com/gruntjs/grunt-contrib-connect/commit/6289a8abb9bc4b27c466481f84ef0b0b486148f9, perhaps we should drop
node-http2
in favor of node ownhttp2
interface because the former has security vulnerabilities.Actually, I've just now noticed that the reason to change to
node-http2
fromhttp2
node interface was a broken test. That's kinda weird: instead of updating the code/calls to match the updated API on node, one just moves all together to a totally different library? Kinda bold.Anyway
node-http2
is currently plagued by a security vulnerability and I think one should simplify and resort to node ownhttp2
interface.If I can I will throw a PR for that.
Edit:
websocket-stream
: https://github.com/maxogden/websocket-stream/issues/162