dependency on "ws" version < 2.00 has security flaw in random number generator

[pmuellr]

Note: for support questions, please use one of these channels: stackoverflow or slack

You want to:

• report a bug
• request a feature

Current behaviour

Fails vulnerability test with snyk vuln db.

See same issue on engine.io - socketio/engine.io#479

Steps to reproduce (if the current behaviour is a bug)

Expected behaviour

Setup

• OS:
• browser:
• engine.io version:

Other information (e.g. stacktraces, related issues, suggestions how to fix)

[darrachequesne]

I'll be happy to merge your pull request 👍

[pmuellr]

Will do, if I find the time. Need to investigate what the ws upgrade entails.

Breaking changes from ws 1.x -> 2.x are listed here: https://github.com/websockets/ws/releases/tag/2.0.0

Complete changelog for ws here: https://github.com/websockets/ws/releases

I guess the first step is to run the tests ...

Also looks like ws 1.1.2 might have patched the vulnerability, so that would be an easier upgrade - but Snyk has not yet marked this as "not vulnerable" yet - https://snyk.io/vuln/npm:ws:20160920

[mrvini]

@darrachequesne, is there a plan to upgrade engine.io-client to most recent version of WS

[pmuellr]

Note that my snyk vuln checking tool doesn't flag ws 1.1.2 as a vulnerability as of today, unlike when it did yesterday. They updated the vulnerable version expression to < 1.1.2.

Submitted PR #540 for this, I suspect more testing will be required.

[darrachequesne]

Closed by #539.