Critical vulnerability with xmlhttprequest-ssl package, needs updating

Question

Critical vulnerability with xmlhttprequest-ssl package, needs updating

sarahhayle opened this issue 3 years ago · 3 comments

Describe the bug

I am using react-cosmos which has engine.io-client as a dependency. On installing a dependency that uses engine.io-client, npm finds a critical vulnerability with xmlhttprequest-ssl.

To reproduce

Run npm install react-cosmos in the terminal in your project
Run npm audit
See:

Expected behavior
xmlhttprequest-ssl needs to be updated to >=1.6.1.

Answer 1 · 2021-05-27T09:33:59.000Z

We just ran into this as well using @nestjs/platform-socket.io

Answer 2 · 2021-05-27T09:46:46.000Z

This issue should be fixed in latest versions:

Version 2.x:

$ npm ls xmlhttprequest-ssl
└─┬ socket.io@2.4.1
  └─┬ socket.io-client@2.4.0
    └─┬ engine.io-client@3.5.2
      └── xmlhttprequest-ssl@1.6.3

Version 3.x and above:

$ npm ls xmlhttprequest-ssl
└─┬ socket.io-client@3.1.3
  └─┬ engine.io-client@4.1.4
    └── xmlhttprequest-ssl@1.6.3

socket.io@2.2.0 is impacted though:

└─┬ socket.io@2.2.0
  └─┬ socket.io-client@2.2.0
    └─┬ engine.io-client@3.3.2
      └── xmlhttprequest-ssl@1.5.5

Please note that this version is not actually vulnerable, since we overwrite the default value of rejectUnauthorized (defaulting to true, see here).

Related: react-cosmos/react-cosmos#1329

Answer 3 · 2021-06-22T21:57:11.000Z

Closed due to inactivity, please reopen if needed.