Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update package to remove the high severity vulnerability introduced in your package #1892

Closed
paimon0715 opened this issue Jul 26, 2021 · 1 comment · Fixed by #1936
Closed

Comments

@paimon0715
Copy link

paimon0715 commented Jul 26, 2021

Hi, @shakyShane,

Issue Description

I noticed that browser-sync@2.27.4 transitively depends on engine.io@3.5.0. Unfortunately,there is a high severity vulnerability CVE-2020-36048 detected in engine.io (versions:<4.0.0) :https://snyk.io/vuln/SNYK-JS-ENGINEIO-1056749
As you can see, the above vulnerable package is referenced by browser-sync@2.27.4 via:
browser-sync@2.27.4 ➔ socket.io@2.4.0 ➔ engine.io@3.5.0

As far as I know,browser-sync@2.27.4 (142,176 downloads per week) is referenced by 2,131 downstream projects (e.g., @nguniversal/builders 12.1.0 (latest version), lite-server 2.6.1 (latest version), @11ty/eleventy 0.12.1 (latest version), @frctl/fractal 1.5.8 (latest version)), the vulnerability CVE-2020-36048 can be propagated into these downstream projects and expose security threats to them via the following package dependency paths:

  1. @11ty/eleventy@0.12.1 ➔ browser-sync@2.27.4 ➔ socket.io@2.4.0 ➔ engine.io@3.5.0
  2. @angular-custom-builders/lite-serve@0.2.3 ➔ browser-sync@2.27.4 ➔ socket.io@2.4.0 ➔ engine.io@3.5.0
  3. @bigcommerce/stencil-cli@3.3.0 ➔ browser-sync@2.27.4 ➔ socket.io@2.4.0 ➔ engine.io@3.5.0
    ......

Therefore, if browser-sync@2.27.* removes the vulnerable package from the above version, then its fixed version can help downstream users aviod this vulnerability.

Given the large number of downstream users, is it possible to update dependency to remove the vulnerability from browser-sync@2.27.4?

Fixing suggestions

In browser-sync@2.27.*, you can simply try to perform the following upgrade :
socket.io 2.4.0 ➔ ^3.0.0;

Note:
socket.io@3.0.0(>=3.0.0-rc1) directly depends on engine.io@4.0.6 which has fixed the vulnerability (CVE-2020-36048).
Of course, your are welcome to share other ways to resolve the issue with me.^_^

Thank you for your attention to this issue.

Yours sincerely,
Paimon

@lachieh
Copy link
Contributor

lachieh commented Feb 24, 2022

Duplicate issue. See #1850 for original.

This was referenced Mar 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants