Closed okuryu closed 4 years ago
I was able to work around this using Yarn's selective resolutions feature to force the socket.io version to 2.
https://yarnpkg.com/lang/en/docs/selective-version-resolutions/
Here's what I added to my package.json
"resolutions": {
"**/eshost/socket.io": "^2"
}
Then running yarn
fixes the lockfile to no longer have the vulnerable parsejson.
Yeah, it probably works well in Yarn, but npm doesn't support the feature.
I've bumped 9 vulnerabilities with
eshost
as follows. It seems to need to upgradesocket.io
to the latest version.