You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
socket.io@2.4.1 requires engine.io@3.5.0, which has a security problem(high severity) (see: CVE-2020-36048): socket.io@2.4.1 ➔ engine.io@3.5.0
I do not know if this vulnerability actually affects socket.io, but it will show up in security reports about dependencies. Since a large number of developers still use socket.io@2.4.*(1,762,377 downloads per week), is there any posibility that you could release an update version for 2.4.* (ie 2.4.2) that introduces a patched version(>=4.0.0) of engine.io?
In socket.io@2.4.2, maybe you can perform the following update: engine.io ~3.5.0 ➔ ~4.0.0
where engine.io@4.0.0(>=4.0.0) has fixed the vulnerability CVE-2020-36048.
The text was updated successfully, but these errors were encountered:
Subject of the issue
socket.io@2.4.1 requires engine.io@3.5.0, which has a security problem(high severity) (see: CVE-2020-36048):
socket.io@2.4.1 ➔ engine.io@3.5.0
I do not know if this vulnerability actually affects socket.io, but it will show up in security reports about dependencies. Since a large number of developers still use socket.io@2.4.*(1,762,377 downloads per week), is there any posibility that you could release an update version for 2.4.* (ie 2.4.2) that introduces a patched version(>=4.0.0) of engine.io?
In socket.io@2.4.2, maybe you can perform the following update:
engine.io ~3.5.0 ➔ ~4.0.0
where engine.io@4.0.0(>=4.0.0) has fixed the vulnerability CVE-2020-36048.
The text was updated successfully, but these errors were encountered: