Closed evansrobert closed 3 years ago
Hello @evansrobert
Thanks for calling this up. socket-io
2.3.0
-> socket-io
3.0.0
is a breaking change that made us update libp2p-webrtc-star@0.20.*
to libp2p-webrtc-star@0.21.*
with https://github.com/libp2p/js-libp2p-webrtc-star/pull/285
This way, the solution is to update to the newer version of webrtc-star
. If we ship libp2p-webrtc-star@0.20.9
with updated socket.io, it will be problematic for other users. Another solution if you cannot update is to get a PR to https://www.npmjs.com/package/socket.io where socket.io@2.4.1
would update engine.io
.
Let me know what you think
@vasco-santos Thanks for the fix in ibp2p-webrtc-star@0.21.*, I notice this release with such patch. Thanks for your help.
Subject of the issue
libp2p-webrtc-star@0.20.8 requires engine.io@3.5.0, which has a security problem (see: CVE-2020-36048):
libp2p-webrtc-star@0.20.8 ➔ socket.io@2.4.1 ➔ engine.io@3.5.0
I do not know if this vulnerability actually affects libp2p-webrtc-star, but it will show up in security reports about dependencies. Since a large number of developers still use libp2p-webrtc-star@0.20.*(3,207 downloads per week), is there any posibility that you could release an update version for 0.20.* (ie 0.20.9) that introduces a patched version(>=4.0.0) of engine.io?
In libp2p-webrtc-star@0.20.9, maybe you can perform the following update:
socket.io ^2.3.0 ➔ ^3.0.0
wheresocket.io@3.0.0 ➔ engine.io@4.0.6
, and engine.io@4.0.6 has fixed the vulnerability CVE-2020-36048.