search

socketio / socket.io-redis-emitter

The Socket.IO Redis emitter, allowing to communicate with a group of Socket.IO servers from another Node.js process.
https://socket.io/docs/v4/redis-adapter/
MIT License
722 stars 121 forks source link

Update socket.io-parser dependency to remove vulnerability #93

Closed skipper09 closed 3 years ago

skipper09 commented 3 years ago

The dependency on socket.io-parser@3.1.2 brings in a DOS vulnerability that is fixed in versions 3.3.2 and 3.4.1.

Are there any plans to update this to a newer version?

ETA: Link to more info https://nvd.nist.gov/vuln/detail/CVE-2020-36049

darrachequesne commented 3 years ago

Updated in https://github.com/socketio/socket.io-emitter/commit/a70db12877d901dd0f7085def0a91145b7c83163 and included in @socket.io/redis-emitter@4.0.0. Thanks!

Note: the parser is not actually used in the code (only for the PacketType import)