node-red-dashboard icon indicating copy to clipboard operation
node-red-dashboard copied to clipboard

Published 20 hours ago verified publisher icon node-red

Socket.io update required to later versions as vulnerability reported

Open RMutharaju opened this issue 4 years ago • 2 comments

What are the steps to reproduce?

With Socket.io: ~3.0.0 and earlier versions, there has a vulnerability reported for one of its dependency components https://nvd.nist.gov/vuln/detail/CVE-2021-31597

What happens?

What do you expect to happen?

Please tell us about your environment:

  • [ ] Node-RED-Dashboard version: Latest
  • [ ] Node-RED version: 1.2.x
  • [ ] node.js version:
  • [ ] npm version:
  • [ ] Platform/OS:
  • [ ] Browser:

image

RMutharaju avatar Apr 27 '21 05:04 RMutharaju

Yes - we are well aware of this. Currently the core of Node-RED and Dashboard both still support Nodejs v8 and 10 - moving to that new version will break support for them. We are currently in the process of moving to Node-RED v2 and at that point we will also release Dashboard v3 which will have this fix.

dceejay avatar Apr 27 '21 10:04 dceejay

Thanks for you response @dceejay :)

RMutharaju avatar Apr 28 '21 10:04 RMutharaju