Engine.io-client xmlhttprequest-ssl high severity vulnerabilities

[jzombie]

Saw this high severity notice generated by Dependabot for a few packages I have that are using airtap.

---

xmlhttprequest-ssl
Open GitHub opened this alert 8 hours ago
Dependabot cannot update xmlhttprequest-ssl to a non-vulnerable version
The latest possible version that can be installed is 1.5.5 because of the following conflicting dependency:

airtap@4.0.3 requires xmlhttprequest-ssl@~1.5.4 via engine.io-client@3.3.2
The earliest fixed version is 1.6.2.

View logs or learn more about troubleshooting Dependabot errors.

1 xmlhttprequest-ssl vulnerability found in package-lock.json 8 hours ago
Remediation
Upgrade xmlhttprequest-ssl to version 1.6.2 or later. For example:

"dependencies": {
"xmlhttprequest-ssl": ">=1.6.2"
}
or…
"devDependencies": {
"xmlhttprequest-ssl": ">=1.6.2"
}
Always verify the validity and compatibility of suggestions with your codebase.

Details
CVE-2020-28502
high severity
Vulnerable versions: < 1.6.2
Patched version: 1.6.2
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

[vweevers]

Thanks for the report. At first glance, doesn't seem to affect airtap. According to their changelog and a comment:

engine.io-client was not directly impacted by this vulnerability, since we are always using async: true

Though this statement applies to engine.io-client 3.5.x and 4.1.x, while we are on 3.3.x - because later versions break older browsers, see #275 (comment).

[vweevers]

In addition, xmlhttprequest-ssl is only used by engine.io-client in Node.js, we only use engine.io-client in browsers.

https://github.com/socketio/engine.io-client/blob/3.3.2/package.json#L72

We're good.

[Gudahtt]

Thanks for looking into that @vweevers - that's good to hear.

Still it would be great if users of this library weren't greeted by this alarming advisory. Would you accept a PR that bumped engine.io-client to a version that was not vulnerable? I see that it was pinned for browser compatibility reasons - which browsers do you currently want to maintain support of? Or are there any other related concerns you have?

[jzombie]

I made a PR (#315) which updates all of the dependencies w/ the latest versions.

A new high vulnerability appears as a result of the trim package (details in PR), but it gets rid of the existing low, high, and critical vulnerabilities.

Tests report that they all pass, though I was getting some browser timeouts before the PR was made, and afterwards. Test peculiarities seems consistent before / after. Copied and pasted the before / after test results into the PR.

Also did a standard --fix to fix the usage of vars, as it had linting errors after bumping the deps.

(By the way, utilized https://www.npmjs.com/package/npm-check-updates for the dep bumping)

[YoDaMa]

just pinging here saying that this vulnerability would be great to have fixed.

[vweevers]

4.0.4