-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update to use latest sockjs-client package, once they've updated to use latest eventsource package (CVE-2022-1650) #4460
Comments
This change is dependant on one of the following PRs: |
I have same error. Please help |
Related Vulnerability defition: |
We should wait the fix in sockjs-client, we can't fix it here |
Yes, that's right. I raised this issue so people are aware and stated in original bug comment that it is pending a fix in sockjs |
sockjs-client have now implemented this fix. (sockjs/sockjs-client#590) webpack-dev-server can now consume the newest version of sockjs-client |
Bug report
webpack-dev-server has sockjs-client as a dependency. sockjs-client has a dependency eventsource. sockjs-client needs to update to latest event soruce. Once that is done, webpack-dev-server will need to update to latest sockjs-client
sockjs-client will need to use eventsource 2.0.2. Lower versions have a critical vulnerability.
Actual Behavior
Vulnerability scanners (with up to date definitions), perform a scan against webpack-dev-server. Notice the failure for eventsource 1.1.0
Expected Behavior
Use a vulnerability scanners (with up to date definitions), it should pass with eventsource, sockjs-client and webpack-dev-server
How Do We Reproduce?
Use a vulnerability scanner (with up to date definitions), perform a scan against webpack-dev-server. Notice the failure for eventsource 1.1.0
The text was updated successfully, but these errors were encountered: