search

tc39 / eshost

A uniform wrapper around a multitude of ECMAScript hosts. CLI: https://github.com/bterlson/eshost-cli
Other
141 stars 37 forks source link

npm audit reports socket.io vulnerabilities #144

Open ajvincent opened 1 month ago

ajvincent commented 1 month ago

I'd like to use eshost for testing one of my projects, but I'm a little worried about the npm audit report:

# npm audit report

cookie  <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix --force`
Will install eshost@6.5.0, which is a breaking change
node_modules/cookie
  engine.io  >=1.8.0
  Depends on vulnerable versions of cookie
  Depends on vulnerable versions of debug
  node_modules/engine.io
    socket.io  >=1.6.0
    Depends on vulnerable versions of debug
    Depends on vulnerable versions of engine.io
    Depends on vulnerable versions of socket.io-parser
    node_modules/socket.io
      eshost  >=6.6.0
      Depends on vulnerable versions of socket.io
      node_modules/eshost

debug  4.0.0 - 4.3.0
Regular Expression Denial of Service in debug - https://github.com/advisories/GHSA-gxpj-cx7g-858c
fix available via `npm audit fix --force`
Will install eshost@6.5.0, which is a breaking change
node_modules/debug
  socket.io-parser  3.4.0 - 4.0.2
  Depends on vulnerable versions of debug
  node_modules/socket.io-parser

6 low severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force
ljharb commented 1 month ago

The vulnerabilities listed here don't apply to "not a webserver", which eshost isn't.