Skip to content

Update sockjs as it presents a vulnerability or allow for it to update #2940

New issue
New issue
Closed
Closed
Update sockjs as it presents a vulnerability or allow for it to update#2940
@rjherrera

Description

@rjherrera
rjherrera
opened on Dec 24, 2020
  • Operating System: N/A
  • Node Version: N/A
  • NPM Version: N/A
  • webpack Version: N/A
  • webpack-dev-server Version: 3.11.0
  • Browser: N/A
  • This is a bug
  • This is a modification request
  • This is a dependency update request

There is a vulnerability in sockjs and webpack-dev-server 3.11.0 uses it as a dependency as shown in the package.json#L62. The thing is, it's included with an explicit version (no caret or anything), and therefore it is locked to that specific version, not allowing for patch updates.

As sockjs presents a vulnerability in one of its dependencies, this is a problem affecting webpack-dev-server. The issue has been addressed in sockjs/sockjs-node#275, so I think either allowing for patch updates with ^0.3.20 or explicitly updating to 0.3.21 would address this issue.

Thanks! I'd be glad to submit a pull request if this is the correct approach!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions