search

libp2p / js-libp2p-webrtc-star

libp2p WebRTC transport that includes a discovery mechanism provided by the signalling-star
https://libp2p.io
Other
320 stars 96 forks source link

Update dependency socket.io #374

Closed evansrobert closed 3 years ago

evansrobert commented 3 years ago

Subject of the issue

libp2p-webrtc-star@0.20.8 requires engine.io@3.5.0, which has a security problem (see: CVE-2020-36048): libp2p-webrtc-star@0.20.8 ➔ socket.io@2.4.1 ➔ engine.io@3.5.0

I do not know if this vulnerability actually affects libp2p-webrtc-star, but it will show up in security reports about dependencies. Since a large number of developers still use libp2p-webrtc-star@0.20.*(3,207 downloads per week), is there any posibility that you could release an update version for 0.20.* (ie 0.20.9) that introduces a patched version(>=4.0.0) of engine.io?

In libp2p-webrtc-star@0.20.9, maybe you can perform the following update: socket.io ^2.3.0 ➔ ^3.0.0 where socket.io@3.0.0 ➔ engine.io@4.0.6, and engine.io@4.0.6 has fixed the vulnerability CVE-2020-36048.

vasco-santos commented 3 years ago

Hello @evansrobert

Thanks for calling this up. socket-io 2.3.0 -> socket-io 3.0.0 is a breaking change that made us update libp2p-webrtc-star@0.20.* to libp2p-webrtc-star@0.21.* with https://github.com/libp2p/js-libp2p-webrtc-star/pull/285

This way, the solution is to update to the newer version of webrtc-star. If we ship libp2p-webrtc-star@0.20.9 with updated socket.io, it will be problematic for other users. Another solution if you cannot update is to get a PR to https://www.npmjs.com/package/socket.io where socket.io@2.4.1 would update engine.io.

Let me know what you think

evansrobert commented 3 years ago

@vasco-santos Thanks for the fix in ibp2p-webrtc-star@0.21.*, I notice this release with such patch. Thanks for your help.