Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
@uppy/transloadit Depends on old package with major security vulnerability
See original GitHub issueThe latest version of @uppy/transloadit contains a dependency for socket.io-client "~2.2.0", which in turn depends on engine.io-client "~3.3.1", which depends on a version of xmlhttprequest-ssl that has this major security vulnerability: https://www.npmjs.com/advisories/1665
Later versions of socket.io-client don’t depend on xmlhttprequest-ssl at all. Is it possible to upgrade this dependency without breaking anything?
Issue Analytics
- State:
- Created 2 years ago
- Reactions:1
- Comments:6 (3 by maintainers)
Top Results From Across the Web
Fixing security vulnerabilities in npm dependencies in less ...
2.1) To fix any dependency, you need to first know which npm package depends on that. npm audit. This will tell you the...
Read more >On the Impact of Security Vulnerabilities in the npm and ... - arXiv
These software packages can be subject to vulnerabilities that may expose dependent packages through explicitly declared dependencies.
Read more >github - Proper way to fix potential security vulnerability in a ...
New: now, with npm@6 you can directly run npm audit fix. Old answer: You should try to identify the problematic package's name, and...
Read more >Auditing package dependencies for security vulnerabilities
Security audits help you protect your package's users by enabling you to find and fix known vulnerabilities in dependencies that could cause data...
Read more >NPM Audit: How to Scan Packages for Security Vulnerabilities
If a fix has been released, but the packages that depend on the vulnerable package have not been amended to reference the patched...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
This vulnerability is not exploitable through Uppy because the exploit only works in Node.js (Uppy does not run there) and with synchronous requests (which Uppy never makes). We should try to upgrade engine.io-client if we can (we are on an old version due to browser support issues, IIRC) but in the mean time you don’t need to worry about this affecting your users.
Thanks for reporting! We’ll look into this.