Update to use latest sockjs-client package, once they've updated to use latest eventsource package (CVE-2022-1650) #4460
Comments
nathanmillar16
changed the title
|
This change is dependant on one of the following PRs: |
|
I have same error. Please help |
nathanmillar16
changed the title
|
Related Vulnerability defition: |
|
We should wait the fix in sockjs-client, we can't fix it here |
Yes, that's right. I raised this issue so people are aware and stated in original bug comment that it is pending a fix in sockjs |
|
sockjs-client have now implemented this fix. (sockjs/sockjs-client#590) webpack-dev-server can now consume the newest version of sockjs-client |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Bug report
webpack-dev-server has sockjs-client as a dependency. sockjs-client has a dependency eventsource. sockjs-client needs to update to latest event soruce. Once that is done, webpack-dev-server will need to update to latest sockjs-client
sockjs-client will need to use eventsource 2.0.2. Lower versions have a critical vulnerability.
Actual Behavior
Vulnerability scanners (with up to date definitions), perform a scan against webpack-dev-server. Notice the failure for eventsource 1.1.0
Expected Behavior
Use a vulnerability scanners (with up to date definitions), it should pass with eventsource, sockjs-client and webpack-dev-server
How Do We Reproduce?
Use a vulnerability scanner (with up to date definitions), perform a scan against webpack-dev-server. Notice the failure for eventsource 1.1.0
The text was updated successfully, but these errors were encountered: