nsp advisory Regular Expression Denial of Service

[alecbenson]

Looks like https://nodesecurity.io/advisories/106 applies to engine.io
I think the solution is to upgrade accepts:

https://github.com/jshttp/accepts/releases/tag/1.3.3

[rauchg]

@alecbenson thanks for the heads-up, upgrading

[rauchg]

d9dda2b..298cb6f

[mikermcneil]

@alecbenson @rauchg Thanks! I'll keep an eye out for the publish for engine.io and socket.io (it's pinned).

But in the mean time, for the record: this vulnerability doesn't actually affect Socket.io or Engine.io. That's because Engine.io (and therefore Socket.io) is not using accepts (and therefore negotiator) to check for accepted languages. In other words, this is the same story as with the compression dependency in Sails and Connect (which @dougwilson verified this morning.)

[Reobos]

Why is accepts@1.1.4 still a dependency in engine.io npm registry tarball https://registry.npmjs.org/engine.io/-/engine.io-1.6.11.tgz? Or am I confused about npm dependency handling? See also socketio/socket.io#2591

[alokrajiv]

Snyk.io is also catching the issue and is passing the warning to many libraries that depend on engine.io:
https://snyk.io/test/npm/engine.io/1.6.11

[hairyhenderson]

This is really weird... the engine.io@1.6.11 that's installed from npm right now has accepts@1.1.4 as a dependency:

$ grep accepts package.json 
    "accepts": "1.1.4",

Looks like 298cb6f never made it into the 1.6.11 tag:

1.6.11...master

[hairyhenderson]

@rauchg - would it be possible to get a 1.6.12 released with the 298cb6f fix in it?

[mavrick]

Any chance we can get this fixed?

[YasharF]

I believe the engine.io npm package needs a minor version bump to resolve the issue in the issue after the dependency upgrade. The minor version bump would also resolve the issue with #410

[hairyhenderson]

/cc @darrachequesne @rauchg - any possibility of getting this resolved finally?

[darrachequesne]

Closed by 330526a