Open jonathanellis opened 2 years ago
Are there any plans to upgrade engine.io-client-java to OkHttp 4.x?
The latest version of the Engine.IO client still depends on OkHttp 3.12.12, which is no longer supported, including security patches (ending 31 December 2021).
Moreover, OkHttp has been impacted by CVE-2021-0341 and whilst explaining that this is not realistically exploitable, the maintainers have fixed the issue in OkHttp 4.x but are not backporting the fix to 3.x.
This leaves any users of engine.io-client-java (and by extension, socket.io-client-java) flagging this "high severity" CVE in any dependency scans.
Are there any plans to upgrade engine.io-client-java to OkHttp 4.x?
The latest version of the Engine.IO client still depends on OkHttp 3.12.12, which is no longer supported, including security patches (ending 31 December 2021).
Moreover, OkHttp has been impacted by CVE-2021-0341 and whilst explaining that this is not realistically exploitable, the maintainers have fixed the issue in OkHttp 4.x but are not backporting the fix to 3.x.
This leaves any users of engine.io-client-java (and by extension, socket.io-client-java) flagging this "high severity" CVE in any dependency scans.