You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When I build my project, I note that engine.io-client@3.3.2 directly depends on xmlhttprequest-ssl@1.5.5. However, 2 vulnerabilities (high severity) CVE-2021-31597 and CVE-2020-28502 are detected in package xmlhttprequest-ssl<1.6.1. And I noticed that these vulnerabilities don’t exist in engine.io-client(>=1.8.6 <2.0.0, >=3.5.2 <4.0.0, >=4.1.4).
As far as I am aware, engine.io-client@3.3.2 is so popular that a lot of projects still depend on it (176,318 downloads per week, and about 872 downstream projects, e.g.,uppy 1.30.0, @uppy/transloadit 1.6.26, react-cosmos 5.6.3, react-cosmos-shared2 5.6.3, @uppy/robodog 1.10.12, @robostack/amphion@0.1.25, @robostack/zethus@0.1.30, auto-ros@0.1.2, etc.). In this case, issues CVE-2021-31597 and CVE-2020-28502 can be propagated into these downstream projects and expose security threats to them.
As you can see, engine.io-client@3.3.2 is introduced into the above projects via the following package dependency paths:
(1)@robostack/amphion@0.1.25 ➔ roslib@1.1.0 ➔ socket.io@2.2.0 ➔ socket.io-client@2.2.0 ➔ engine.io-client@3.3.2 ➔ xmlhttprequest-ssl@1.5.5
(2)@robostack/zethus@0.1.30 ➔ amphion@0.1.23 ➔ roslib@1.1.0 ➔ socket.io@2.2.0 ➔ socket.io-client@2.2.0 ➔ engine.io-client@3.3.2 ➔ xmlhttprequest-ssl@1.5.5
(3)auto-ros@0.1.2 ➔ roslib@1.1.0 ➔ socket.io@2.2.0 ➔ socket.io-client@2.2.0 ➔ engine.io-client@3.3.2 ➔ xmlhttprequest-ssl@1.5.5 ........
Although these vulnerabilities don’t exist in _engine.io-client(>=1.8.6 <2.0.0, >=3.5.2 <4.0.0, >=4.1.4), the downstream projects cannot easily upgrade or degrade engine.io-client from version 3.3.2 to these safe versions :
The projects such as roslib which introduced engine.io-client@3.3.2 are not maintained anymore. And these unmaintained packages can neither upgrade or degrade engine.io-client nor be easily migrated by the large amount of affected downstream projects.
Given the large number of downstream users, is it possible to remove the vulnerabilities from engine.io-client@3.3.2?
Suggested Solution
Maybe releasing a new patched version with the updated dependency is the simplest way to resolve the issue. Since these unactive projects set a version constaint 3.3.* for engine.io-client on the above vulnerable dependency paths, if you can kindly remove the vulnerabilities from 3.3.2 and release a new patched version engine.io-client@3.3.3, such a vulnerability patch can be automatically propagated into the 872 affected downstream projects.
In engine.io-client@3.3.3, you can kindly try to perform the following upgrade: xmlhttprequest-ssl ~1.5.4 ➔ ~1.6.1; Note: xmlhttprequest-ssl@1.6.1 (>=1.6.1) has fixed the vulnerabilities CVE-2021-31597 and CVE-2020-28502.
If you have any other ways, it's kind of you to share them with me.
Thanks again for your contributions .^_^
Best regards,
Paimon
The text was updated successfully, but these errors were encountered:
@darrachequesne Such a fix is the additional efforts that npm community brings to you.
The vulnerability patch in engine.io-client@3.3.3 can be automatically propagated into 872 projects.
Literally, it indeed benefits a huge amount of downstream users.
Hi ,@darrachequesne @rauchg , I found 2 vulnerabilities in your package by accident:
Issue Description
When I build my project, I note that engine.io-client@3.3.2 directly depends on xmlhttprequest-ssl@1.5.5. However, 2 vulnerabilities (high severity) CVE-2021-31597 and CVE-2020-28502 are detected in package xmlhttprequest-ssl<1.6.1. And I noticed that these vulnerabilities don’t exist in engine.io-client(>=1.8.6 <2.0.0, >=3.5.2 <4.0.0, >=4.1.4).
As far as I am aware, engine.io-client@3.3.2 is so popular that a lot of projects still depend on it (176,318 downloads per week, and about 872 downstream projects, e.g.,uppy 1.30.0, @uppy/transloadit 1.6.26, react-cosmos 5.6.3, react-cosmos-shared2 5.6.3, @uppy/robodog 1.10.12, @robostack/amphion@0.1.25, @robostack/zethus@0.1.30, auto-ros@0.1.2, etc.). In this case, issues CVE-2021-31597 and CVE-2020-28502 can be propagated into these downstream projects and expose security threats to them.
As you can see, engine.io-client@3.3.2 is introduced into the above projects via the following package dependency paths:
(1)
@robostack/amphion@0.1.25 ➔ roslib@1.1.0 ➔ socket.io@2.2.0 ➔ socket.io-client@2.2.0 ➔ engine.io-client@3.3.2 ➔ xmlhttprequest-ssl@1.5.5
(2)
@robostack/zethus@0.1.30 ➔ amphion@0.1.23 ➔ roslib@1.1.0 ➔ socket.io@2.2.0 ➔ socket.io-client@2.2.0 ➔ engine.io-client@3.3.2 ➔ xmlhttprequest-ssl@1.5.5
(3)
auto-ros@0.1.2 ➔ roslib@1.1.0 ➔ socket.io@2.2.0 ➔ socket.io-client@2.2.0 ➔ engine.io-client@3.3.2 ➔ xmlhttprequest-ssl@1.5.5
........
Although these vulnerabilities don’t exist in _engine.io-client(>=1.8.6 <2.0.0, >=3.5.2 <4.0.0, >=4.1.4), the downstream projects cannot easily upgrade or degrade engine.io-client from version 3.3.2 to these safe versions :
The projects such as roslib which introduced engine.io-client@3.3.2 are not maintained anymore. And these unmaintained packages can neither upgrade or degrade engine.io-client nor be easily migrated by the large amount of affected downstream projects.
Given the large number of downstream users, is it possible to remove the vulnerabilities from engine.io-client@3.3.2?
Suggested Solution
Maybe releasing a new patched version with the updated dependency is the simplest way to resolve the issue. Since these unactive projects set a version constaint 3.3.* for engine.io-client on the above vulnerable dependency paths, if you can kindly remove the vulnerabilities from 3.3.2 and release a new patched version engine.io-client@3.3.3, such a vulnerability patch can be automatically propagated into the 872 affected downstream projects.
In engine.io-client@3.3.3, you can kindly try to perform the following upgrade:
xmlhttprequest-ssl ~1.5.4 ➔ ~1.6.1
;Note:
xmlhttprequest-ssl@1.6.1 (>=1.6.1) has fixed the vulnerabilities CVE-2021-31597 and CVE-2020-28502.
If you have any other ways, it's kind of you to share them with me.
Thanks again for your contributions .^_^
Best regards,
Paimon
The text was updated successfully, but these errors were encountered: