Socket.io update required to later versions as vulnerability reported

node-red / node-red-dashboard

A dashboard UI for Node-RED

Other

1.31k stars 453 forks source link

Socket.io update required to later versions as vulnerability reported #697

Open RMutharaju opened 3 years ago

RMutharaju commented 3 years ago

What are the steps to reproduce?

With Socket.io: ~3.0.0 and earlier versions, there has a vulnerability reported for one of its dependency components https://nvd.nist.gov/vuln/detail/CVE-2021-31597

What happens?

What do you expect to happen?

Please tell us about your environment:

[ ] Node-RED-Dashboard version: Latest
[ ] Node-RED version: 1.2.x
[ ] node.js version:
[ ] npm version:
[ ] Platform/OS:
[ ] Browser:

dceejay commented 3 years ago

Yes - we are well aware of this. Currently the core of Node-RED and Dashboard both still support Nodejs v8 and 10 - moving to that new version will break support for them. We are currently in the process of moving to Node-RED v2 and at that point we will also release Dashboard v3 which will have this fix.

RMutharaju commented 3 years ago

Thanks for you response @dceejay :)