Need 2.4.x to upgrade to socket.io-parser@3.4.1 for security issue

[andrewaustin]

socket.io-parser version 3.3.1 is vulnerable to socketio/socket.io-parser#95.

socket.io-client 2.4.x is pinned to "socket.io-parser": "~3.3.0" so it will not pick up this security patch which is fixed in 3.4.1

socket.io-parser was lasted updated in this commit: 06e9a4c 2 years ago.

The diff of changes is here: https://github.com/socketio/socket.io-parser/compare/3.3.0..3.4.1

[darrachequesne]

Hi! I backported the security fix in the 3.3.x branch and included it in 3.3.2.

Please note that the server part (which was indeed vulnerable) imports socket.io-parser@~3.4.0 (see here), which already includes the fix (the difference is due to the version of the debug dependency, which included some es6 code in latest versions).

Thanks for the heads-up! 👍

[andrewaustin]

Perfect thanks!