Backport CVE-2020-36048 to 3.5.x
andrewaustin opened this issue · 4 comments
andrewaustin commented
Can we backport the change here: 734f9d1 to 3.5.x?
darrachequesne commented
Thanks for raising this issue 👍
My only concern is that it is actually a breaking change that is likely to break some production deployments. What do you think?
andrewaustin commented
Is it possible to opt into the fix somehow without doing a major version bump?
darrachequesne commented
As I said above, this is a breaking change that will silently bite some users.
What we could do instead is deprecate the latest 3.x version, in order to help users upgrade to Engine.IO v4 / Socket.IO v3.
darrachequesne commented
Closed due to inactivity, please reopen if needed.