"@microsoft/signalr" JavaScript package should update its vulnerable "eventsource" dependency

[mgroetan]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

When you use the Snyk Open Source (SCA) tool to scan your npm package.json file when using the 6.0.5 version of "@microsoft/signalr", a vulnerability is being reported, for the "eventsource" package.
It seems to be using an old 1.0.7 version, but due to the "^" notation, it effectively gets 1.1.1, which is also vulnerable.
The first unaffected version is 2.0.2.

Expected Behavior

No Microsoft (JavaScript or otherwise) package should have a reported security vulnerability for any more than a day or two.

Steps To Reproduce

Repro solution: https://github.com/mgroetan/MicrosoftSignalRJsVulnRepro

Install Snyk: npm install -g snyk
Run Snyk: snyk test --all-projects

Observe that you get the following vulnerability report:
Issues with no direct upgrade or patch:
✗ Information Exposure [Medium Severity][https://snyk.io/vuln/SNYK-JS-EVENTSOURCE-2823375] in eventsource@1.1.1
introduced by @microsoft/signalr@6.0.5 > eventsource@1.1.1
This issue was fixed in versions: 2.0.2

Exceptions (if any)

No response

.NET Version

6.0.300

Anything else?

The cdnjs URL, showing 1 vulnerability (through its Snyk plugin): https://cdnjs.com/libraries/microsoft-signalr
The Snyk report, showing a security review is needed, but for some reason doesn't show the actual vulnerability: https://snyk.io/advisor/npm-package/@microsoft/signalr

[blowdart]

Dupe of #41729 ?

@BrennanConroy

[mgroetan]

Dupe of #41729 ?

Yes. And of #41728. To my best ability, I searched for an existing issue before going through the additional trouble of even making a repro, but obviously I did a lousy search job.
Now awaiting a vuln DB update, then.