Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Vulnerable dependent packages

See original GitHub issue

Currently socket.io through dependencies installs engine.io@1.6.11 which is installing accepts@1.14. I currently forked both socket.io and engine.io to get around this and called on those forked repos in my package.json. accepts@1.1.4 currently has a older version of negotiator@0.4.9 which is vulnerable to https://nodesecurity.io/advisories/106 and ws@1.1.0 which is vulnerable to https://nodesecurity.io/advisories/120. These are huge and easiliy implemented vulnerabilities hence why went to to trouble of forking two repos for one line change.

npm list ( before fork)
─┬ socket.io@1.4.8 
│ ├─┬ debug@2.2.0
│ │ └── ms@0.7.1
│ ├─┬ engine.io@1.6.11
│ │ ├─┬ accepts@1.1.4
│ │ │ ├─┬ mime-types@2.0.14
│ │ │ │ └── mime-db@1.12.0
│ │ │ └── negotiator@0.4.9

npm list (after fork)
├─┬ socket.io@1.4.8 (git://github.com/greenlancer/socket.io.git#77b088993ae2f26ea28a7bee565837e8a9708e96)
│ ├─┬ debug@2.2.0
│ │ └── ms@0.7.1
│ ├─┬ engine.io@1.6.11 (git://github.com/greenlancer/engine.io.git#2c0ae2972b20f6e843dffea17d11262adee3a381)
│ │ ├─┬ accepts@1.3.3
│ │ │ └── negotiator@0.6.1

caught with nsp
npm install nsp
nsp check

Issue Analytics

State:
Created 7 years ago
Comments:8 (1 by maintainers)

Top GitHub Comments

1reaction

attritionorgcommented, Sep 28, 2016

Relatively minor, but “1.14” vs “1.1.4”. In the world of forked projects, sometimes this is minor but telling that it may be a different project, so best to clarify. Thanks again!

0reactions

drawlins-glcommented, Oct 25, 2016

Thanks!

On Thu, Oct 20, 2016 at 9:25 PM, Damien Arrachequesne < notifications@github.com> wrote:

Closed #2693 https://github.com/socketio/socket.io/issues/2693.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/socketio/socket.io/issues/2693#event-831452723, or mute the thread https://github.com/notifications/unsubscribe-auth/AUFdjYeBbFqZgl9aeYscCqdugxhFoWeeks5q2BSIgaJpZM4KH-s6 .

The information contained in this transmission (including any attachments) is confidential and may be privileged. It is intended only for the use of the individual or entity named above. If you are not the intended recipient, dissemination, distribution, or copy of this communication is strictly prohibited. If you have received this communication in error, please erase all copies of this message and its attachments and notify me immediately.

Top Results From Across the Web

What are Vulnerable Dependencies?

When a security vulnerability is found in a third-party dependency, and a new version with a fix is released, it is the responsibility...

Vulnerable package dependencies [medium] - Acunetix

Description. One or more packages that are used in your web application are affected by known vulnerabilities. Please consult the details section for...

Vulnerable Dependency Management Cheat Sheet

Tools. This section lists several tools that can used to analyse the dependencies used by a project in order to detect the vulnerabilities....

Vulnerabilities in Dependencies: What You Need to Know

Here's what you need to know about the vulnerabilities in dependencies, third party components and open source.

Auditing package dependencies for security vulnerabilities

If you do not want to fix the vulnerability or update the dependent package yourself, open an issue in the package or dependent...