Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependencies are outdated and there are vulnerabilities #3709

Closed
9 of 11 tasks
Download opened this issue Nov 25, 2020 · 1 comment
Closed
9 of 11 tasks

Dependencies are outdated and there are vulnerabilities #3709

Download opened this issue Nov 25, 2020 · 1 comment
Labels
enhancement New feature or request

Comments

@Download
Copy link
Contributor

Download commented Nov 25, 2020
edited
Loading

You want to:

  • report a bug
  • request a feature

Current behaviour

npm outdated reports many dependencies as out of date:

C:\ws\socketio>npm outdated
Package           Current    Wanted    Latest  Location
@types/mocha        8.0.3     8.0.4     8.0.4  socket.io
@types/node       14.14.7  14.14.10  14.14.10  socket.io
debug               4.1.1     4.1.1     4.3.1  socket.io
engine.io           4.0.1     4.0.4     4.0.4  socket.io
eslint             7.12.1    7.14.0    7.14.0  socket.io
mocha               3.5.3     3.5.3     8.2.1  socket.io
prettier           1.19.1    1.19.1     2.2.0  socket.io
socket.io-parser    4.0.1     4.0.2     4.0.2  socket.io
superagent          3.8.3     3.8.3     6.1.0  socket.io
supertest           3.4.2     3.4.2     6.0.1  socket.io
typescript          4.0.5     4.1.2     4.1.2  socket.io

Also, after each install, npm reports vulnerabilities:

audited 325 packages in 1.704s

20 packages are looking for funding
  run `npm fund` for details

found 3 vulnerabilities (2 low, 1 critical)

Steps to reproduce (if the current behaviour is a bug)

  • Git clone this repo
  • npm install (observe reported vulnerabilities)
  • npm outdated (observe report of many outdated dependencies)

Expected behaviour

Dependencies should be up to date and no vulnerabilities should be reported

Setup

  • OS: Windows, but not relevant
  • browser: n/a
  • socket.io version: master

Other information (e.g. stacktraces, related issues, suggestions how to fix)

I created a PR that updates all dependencies except for 2:

  • @types/mocha 8.0.3 ==> 8.0.4
  • @types/node 14.14.7 ==> 14.14.10
  • debug 4.1.1 ==> 4.3.1
  • engine.io 4.0.1 ==> 4.0.4
  • eslint 7.12.1 ==> 7.14.0
  • mocha #3710 3.5.3 =X> 8.2.1
  • prettier #3712 1.19.1 =X> 2.2.0
  • socket.io-parser 4.0.1 ==> 4.0.2
  • superagent 3.8.3 ==>6.1.0
  • supertest 3.4.2 ==> 6.0.1
  • typescript 4.0.5 ==> 4.1.2

Mocha, when I update it and then run the tests, gives me test failures. So I left that out and created a separate issue for that:

Tests fail with latest version of Mocha #3710

Prettier it seems had a change of some default rules or something. When I update it to the latest version, it marks many files as invalid. When I run npm run format:fix, it makes the needed changes and it affects a bunch of files. The changes seem to revolve around braces or not around a single parameter of an arrow function and whether to use a comma after the last item in an array. I will create a separate issue and PR for updating Prettier, because maybe you don't agree with the defaults changing.

Updating Prettier causes many files to become invalid #3712

About the vulnerabilities

They are only in the development dependencies, so this is mostly a theoretical issue. But it would be great to fix them of course. I found out that they are coming in via mocha and that they are fixed in the latest version of mocha. However as said above I had trouble updating mocha so maybe one of the more seasoned socket.io devs can have a look at that.

C:\ws\socketio>npm audit

                       === npm audit security report ===

# Run  npm install --save-dev mocha@8.2.1  to resolve 3 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change

  Critical        Command Injection

  Package         growl

  Dependency of   mocha [dev]

  Path            mocha > growl

  More info       https://npmjs.com/advisories/146




  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   mocha [dev]

  Path            mocha > debug

  More info       https://npmjs.com/advisories/534




  Low             Prototype Pollution

  Package         minimist

  Dependency of   mocha [dev]

  Path            mocha > mkdirp > minimist

  More info       https://npmjs.com/advisories/1179



found 3 vulnerabilities (2 low, 1 critical) in 327 scanned packages
  3 vulnerabilities require semver-major dependency updates.
@Download Download mentioned this issue Nov 25, 2020
Closed
This was referenced Dec 5, 2020
Closed
Closed
Closed
darrachequesne added a commit that referenced this issue Jun 27, 2022
@darrachequesne
chore: bump dependencies
9890b03 
Production:

- socket.io-parser: ~4.0.4 => ~4.2.0

Development:

- superagent: ^6.1.0 => ^8.0.0
- tsd: ^0.17.0 => ^0.21.0

Related: #3709
@darrachequesne
Copy link
Member

Here we go: 9890b03

$ npm outdated
Package                                      Current  Wanted  Latest  Location                          Depended by
socket.io-client-v2:socket.io-client@^2.4.0    2.5.0   2.5.0   4.5.1  node_modules/socket.io-client-v2  socket.io

@darrachequesne darrachequesne added the enhancement New feature or request label Jun 27, 2022
dzad pushed a commit to dzad/socket.io that referenced this issue May 29, 2023
@darrachequesne
chore: bump dependencies
ee40408 
Production:

- socket.io-parser: ~4.0.4 => ~4.2.0

Development:

- superagent: ^6.1.0 => ^8.0.0
- tsd: ^0.17.0 => ^0.21.0

Related: socketio#3709
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Download @darrachequesne