Is it possible to update dependency to remove the vulnerability CVE-2020-36048?

[evansrobert]

Subject of the issue

socket.io@2.4.1 requires engine.io@3.5.0, which has a security problem(high severity) (see: CVE-2020-36048):
socket.io@2.4.1 ➔ engine.io@3.5.0

I do not know if this vulnerability actually affects socket.io, but it will show up in security reports about dependencies. Since a large number of developers still use socket.io@2.4.*(1,762,377 downloads per week), is there any posibility that you could release an update version for 2.4.* (ie 2.4.2) that introduces a patched version(>=4.0.0) of engine.io?

In socket.io@2.4.2, maybe you can perform the following update:
engine.io ~3.5.0 ➔ ~4.0.0
where engine.io@4.0.0(>=4.0.0) has fixed the vulnerability CVE-2020-36048.

[darrachequesne]

@evansrobert please see my answer here: socketio/engine.io#612 (comment)

[evansrobert]

@darrachequesne Thanks for your answer.

[darrachequesne]

Closed due to inactivity, please reopen if needed.