Backport CVE-2020-36048 to 3.5.x

Question

andrewaustin opened this issue 4 years ago · 4 comments

Can we backport the change here: 734f9d1 to 3.5.x?

Answer 1 · 2021-01-11T21:06:11.000Z

Thanks for raising this issue 👍

My only concern is that it is actually a breaking change that is likely to break some production deployments. What do you think?

Answer 2 · 2021-01-26T12:56:05.000Z

Is it possible to opt into the fix somehow without doing a major version bump?

Answer 3 · 2021-01-27T06:52:22.000Z

As I said above, this is a breaking change that will silently bite some users.

What we could do instead is deprecate the latest 3.x version, in order to help users upgrade to Engine.IO v4 / Socket.IO v3.

Answer 4 · 2021-11-02T21:59:18.000Z

Closed due to inactivity, please reopen if needed.