Closed tribou closed 7 years ago
Thanks @tribou,
I wasn't aware about the security vulnerabilities. Unfortunately I have to pinpoint to an exact version because different socket.io versions (client/server) may be incompatible to each other. As I'm running a dev server, I cannot upgrade the socket.io version on either client or server.
This also includes the dev dependencies needed to run the gulp dist script without depending on the yjs repo to be cloned and installed in an adjacent folder.
I depend on my current folder structure for testing purposes. So I'd rather like to just upgrade the socket.io entry in package.json. I'm going to release a major release (including socket.io upgrade) next week.
Your pull requests are very welcome! But I ask you to create separate pull requests for different issues (version upgrade / gulp script update). I'd have accepted the version upgrade.
Hello @dmonad!
I ran a Node Security Project check and found that
socket.io-client@1.3.7
had a list of vulnerabilities:I wasn't sure why you pinned it to that version, but I was able to do some local tests successfully after upgrading to the latest
socket.io-client@^1
.This also includes the dev dependencies needed to run the
gulp dist
script without depending on theyjs
repo to be cloned and installed in an adjacent folder.Let me know what you think!