Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drop deprecated socket.io dependency #64

Open
jankeromnes opened this issue Oct 13, 2017 · 6 comments
Open

Drop deprecated socket.io dependency #64

jankeromnes opened this issue Oct 13, 2017 · 6 comments

Comments

@jankeromnes
Copy link
Collaborator

Hello!

ScoutCamp's socket.io has been marked as deprecated for a while, and a security bot recently detected 16 vulnerabilities in the version we import (but don't use) in Janitor.

Maybe this is a good time to remove socket.io from ScoutCamp's dependencies entirely? Does any ScoutCamp-based project still use socket.io, e.g. https://github.com/garden/tree ? (It doesn't seem so).
@jankeromnes jankeromnes mentioned this issue Oct 13, 2017
Closed
@jankeromnes
Copy link
Collaborator Author

Another way around this is to upgrade to the newer socket.io 2.0.0 version that was recently published. See jankeromnes#3

@espadrine
Copy link
Owner

IIRC, socket.io v2 is the reason socket.io became deprecated, as it lacked the features necessary to have the same API we currently offer for it.

@paulmelnikow
Copy link
Contributor

Hey @espadrine, would you be willing to drop the vulnerable dependencies from package.json? If people are using the socketio support they could install them manually.

Dropping them from package.json would allow npm audit to give Shields a clean bill of health.

paulmelnikow added a commit to badges/shields that referenced this issue Nov 3, 2018
@paulmelnikow
Fix some npm audit warnings (bump debug)
c06ea2f 
The only remaining vulnerabilites are in scoutcamp: espadrine/sc#64.
@paulmelnikow paulmelnikow mentioned this issue Nov 3, 2018
Merged
@espadrine
Copy link
Owner

@paulmelnikow Is that related to galkn/parsejson#4?

I can remove socket.io for security reasons.

Can you pinpoint what the target is? When I run npm audit in camp, I see 0 vulnerabilities. (When I run it in gh-badges, I see two camp high vulnerabilities, but I don't see why we wouldn't see it in camp.)

OK, I figured it out. The latest commit is not part of an npm version. Pushing one now…

@espadrine
Copy link
Owner

v17.2.2 published.

espadrine added a commit to espadrine/shields that referenced this issue Nov 3, 2018
@espadrine
Upgrade to camp 17.2.2
1488d2d 
This fixes remaining vulnerabilities raised by `npm audit`.

Follow-up to badges#2258.

Related issues from dependencies:

- camp upgrade: espadrine/sc#64
- socket.io vulnerability: galkn/parsejson#4
@espadrine espadrine mentioned this issue Nov 3, 2018
Merged
paulmelnikow added a commit to badges/shields that referenced this issue Nov 4, 2018
@paulmelnikow
Fix some npm audit warnings (bump debug) (#2258)
72768d3 
The only remaining vulnerabilites are in scoutcamp: espadrine/sc#64.
@paulmelnikow
Copy link
Contributor

Thanks so much!

espadrine added a commit to espadrine/shields that referenced this issue Nov 4, 2018
@espadrine
Upgrade to camp 17.2.2
e96fa77 
This fixes remaining vulnerabilities raised by `npm audit`.

Follow-up to badges#2258.

Related issues from dependencies:

- camp upgrade: espadrine/sc#64
- socket.io vulnerability: galkn/parsejson#4
chris48s pushed a commit to badges/shields that referenced this issue Nov 4, 2018
@espadrine @chris48s
Upgrade to camp 17.2.2 (#2260)
1460855 
This fixes remaining vulnerabilities raised by `npm audit`.

Follow-up to #2258.

Related issues from dependencies:

- camp upgrade: espadrine/sc#64
- socket.io vulnerability: galkn/parsejson#4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@espadrine @jankeromnes @paulmelnikow