npm project @microsoft/signalr depend on security vulnerable version of eventsource

[Jeffhooo]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository eventsource/eventsource prior to v2.0.2.
@microsoft/signalr latest version depending on eventsource "^1.0.7".

Expected Behavior

Please update and release new version of @microsoft/signalr depend on v2.0.2 or upper version of eventsource.

Steps To Reproduce

1. Update @microsoft/signalr to latest version in package.json.
2. Run npm/yarn install
3. Check package.lock/yarn.lock

Exceptions (if any)

No response

.NET Version

No response

Anything else?

No response

[BrennanConroy]

@microsoft/signalr will use version 1.1.1 today when you download and install it in your project. 1.1.1 does not have the vulnerability mentioned EventSource/eventsource#273 (comment)

And we are already updating to 2.0.2 on main, see #41270