Security issue for socket.io dependency

[KirilVandov]

Issue details

There is a security issue with the current version of socket.io
https://www.npmjs.com/advisories/1609

The advisory from npm is to "Update to version 2.4.0 or later."

Steps to reproduce/test case

Simply npm install and you will get the security issue reported
https://www.npmjs.com/advisories/1609

Please specify which version of Browsersync, node and npm you're running

• Browsersync [ X ]
• Node [ ]
• Npm [ ]

Affected platforms

• linux
• windows
• OS X
• freebsd
• solaris
• other (please specify which)

[abbyblachman]

+1

[mef]

The latest version of browser-sync already uses socket.io v2.4.0 (source), you might want to update browser-sync in your app.

[casingh1990]

Please see

• https://nvd.nist.gov/vuln/detail/CVE-2020-36049
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36048

I think based on these we may need to consider:

• engine.io 4+
• socket.io-parser 3.4.1+

[rishi241424]

My browser-synch version is 2.26.14 (latest version), but still my my scan reports says HIGH Serverity for this engine and socket packages.
engine.io:3.5.0
socket.io-parser:3.3.2

[lachieh]

There are a number of issues that keep getting created for this security warning. What is required to get the updated socket.io package merged?

[abbyblachman]

+1

[stratboy]

Same problem here