Vulnerability in xmlhttprequest-ssl

[Hawxy]

Just a heads up that the current xmlhttprequest-ssl version shipped with this package has an open vulnerability:
https://app.snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936

I was pinged about this as I have a dependency that uses an old version of this package before xmlhttprequest-ssl was internalized, however the issue still remains.

[darrachequesne]

Thanks for the heads-up! 👍

Technically, I think we are always using async: true when using the XMLHttpRequest instance (here and here).

I'll update the dependency once the issue is fixed upstream though.

[andyedwardsibm]

Is xmlhttprequest-ssl maintained any more? The readme at https://github.com/mjwwit/node-XMLHttpRequest seems to suggest it was explicitly created/forked for engine.io-client, but the last commit is 18 months old. The repo also won't take new issues.

[darrachequesne]

@andyedwardsdfdl I don't think it is actively maintained, but we could indeed try to reach the maintainer.

Regarding the vulnerability, a solution would be to remove the synchronous part (async: false) and publish a new major version (or fork it, though that's a lot of work for something we don't actually use...)

[Hawxy]

Got pinged with this additional vun: https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1255647

A patched version of the package that fixes both of the above issues appears available on the fork and is being pushed to npm: https://github.com/mjwwit/node-XMLHttpRequest

[maxmaio]

Looks like xmlhttprequest-ssl has another security issue: https://www.npmjs.com/advisories/1665 . any chance the maintainer could bump it's version to a passing build(1.6.2) for version 3.5.x?

[karlhorky]

Also for 4.1.x if possible please! 🙏

[darrachequesne]

This should be fixed now:

• engine.io-client@4.1.4
• engine.io-client@3.5.2

Thanks for the heads-up 🙏