Component Governance alerts of eventsource for signalr package in npm

[RichardSunMS]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

There always be an eventsoure version 1.1.1 reference in the packages-lock.json and this package will be download to node_modules nested folder of signalr package folder.

Manually install version 2.0.2 to my packages.json dependencies not solving the problem, please help upgrade packages or share the steps to mitigate on our side.

Which is causing the Governance alerting with below error:

Root dependencies for eventsource
@microsoft/signalr 6.0.5
@microsoft/signalr-protocol-msgpack 6.0.5
Recommendation
Upgrade to version eventsource - 2.0.2
If you are using NPM 6 or above, you can run npm audit fix on your local machine to fix vulnerabilities. For more info, please visit https://docs.npmjs.com/cli/audit

And here is the quick view of the packages-lock.json file generated:
"node_modules/@microsoft/signalr/node_modules/eventsource": {
"version": "1.1.1",
"resolved": "https://registry.npmjs.org/eventsource/-/eventsource-1.1.1.tgz",
"integrity": "sha512-qV5ZC0h7jYIAOhArFJgSfdyz6rALJyb270714o7ZtNnw2WSJ+eexhKtE0O8LYPRsHZHf2osHKZBxGPvm3kPkCA==",
"dependencies": {
"original": "^1.0.0"
},
"engines": {
"node": ">=0.12.0"
}
},

Expected Behavior

No response

Steps To Reproduce

No response

Exceptions (if any)

No response

.NET Version

No response

Anything else?

No response

[BrennanConroy]

1.1.1 is not vulnerable, the vulnerability database just hasn't been updated. EventSource/eventsource#273 (comment)

[wtgodbe]

@RichardSunMS where are you actually seeing this error? We may be able to help find a workaround for you in the meantime

[HorizonXP]

We are also seeing this vulnerability being picked up by Snyk.