Comments (5)
There have been no updates in the past 10 months... Is this package even active? If so, this issue needs to be handled. @RafalWilinski
from express-status-monitor.
Yes express-status-monitor needs update
from express-status-monitor.
7 vulnerabilities (1 moderate, 5 high, 1 critical)
# npm audit report
axios <0.21.1
Severity: high
Server-Side Request Forgery - https://npmjs.com/advisories/1594
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/axios
express-status-monitor <=0.1.9 || >=1.2.5
Depends on vulnerable versions of axios
Depends on vulnerable versions of socket.io
node_modules/express-status-monitor
socket.io <=2.3.0 || 3.0.0-rc1 - 3.0.0-rc4
Severity: high
Insecure Default Configuration - https://npmjs.com/advisories/1609
Depends on vulnerable versions of socket.io-client
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/socket.io
express-status-monitor <=0.1.9 || >=1.2.5
Depends on vulnerable versions of axios
Depends on vulnerable versions of socket.io
node_modules/express-status-monitor
ws 5.0.0 - 5.2.2 || 6.0.0 - 6.2.1 || 7.0.0 - 7.4.5
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1748
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/engine.io-client/node_modules/ws
engine.io-client 0.7.0 || 0.7.8 - 0.7.9 || 1.6.0 - 1.8.5 || 2.0.0 - 3.5.1 || 4.0.0-alpha.0 - 4.1.3
Depends on vulnerable versions of ws
Depends on vulnerable versions of xmlhttprequest-ssl
node_modules/engine.io-client
socket.io-client 1.4.0 - 1.7.3 || 2.0.0 - 2.1.1 || 2.3.0 - 2.3.1 || 3.0.0-rc1 - 3.0.5
Depends on vulnerable versions of engine.io-client
node_modules/socket.io-client
socket.io <=2.3.0 || 3.0.0-rc1 - 3.0.0-rc4
Depends on vulnerable versions of socket.io-client
node_modules/socket.io
express-status-monitor <=0.1.9 || >=1.2.5
Depends on vulnerable versions of axios
Depends on vulnerable versions of socket.io
node_modules/express-status-monitor
xmlhttprequest-ssl <=1.6.1
Severity: critical
Arbitrary Code Injection - https://npmjs.com/advisories/1665
Improper Verification of Cryptographic Signature - https://npmjs.com/advisories/1746
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/xmlhttprequest-ssl
engine.io-client 0.7.0 || 0.7.8 - 0.7.9 || 1.6.0 - 1.8.5 || 2.0.0 - 3.5.1 || 4.0.0-alpha.0 - 4.1.3
Depends on vulnerable versions of ws
Depends on vulnerable versions of xmlhttprequest-ssl
node_modules/engine.io-client
socket.io-client 1.4.0 - 1.7.3 || 2.0.0 - 2.1.1 || 2.3.0 - 2.3.1 || 3.0.0-rc1 - 3.0.5
Depends on vulnerable versions of engine.io-client
node_modules/socket.io-client
socket.io <=2.3.0 || 3.0.0-rc1 - 3.0.0-rc4
Depends on vulnerable versions of socket.io-client
node_modules/socket.io
express-status-monitor <=0.1.9 || >=1.2.5
Depends on vulnerable versions of axios
Depends on vulnerable versions of socket.io
node_modules/express-status-monitor
7 vulnerabilities (1 moderate, 5 high, 1 critical)
To address all issues (including breaking changes), run:
npm audit fix --force
from express-status-monitor.
I guess he abandoned it, sad.
from express-status-monitor.
Mostly closed in the 1.3.4 release (be7b8fc).
Nevertheless, there is 1 outstanding security vulnerability, GHSA-j4f2-536g-r55m.
[email protected]
> [email protected]
> [email protected]
This has been committed as 1a38ae5 (or PR #188), upgraded [email protected]
to [email protected]
, but yet to have a release.
from express-status-monitor.
Related Issues (20)
- Socket.io extra headers
- Installation on centos 7 HOT 1
- Package breaks with non-vulnerable Socket.Io version 4.1.2 HOT 1
- Cannot access status path HOT 3
- Not working on MacOS Safari, iOS browsers. HOT 2
- Own Socket instance? HOT 2
- Critical security vulnerability HOT 1
- ES5 import clause HOT 1
- Synk security issues
- ```healthcheck``` Failed for succesful host request
- Breaking changes on security update for socket.io-parser
- How to graceful shutdown HOT 2
- event-loop-stats not found, ignoring event loop metrics HOT 1
- Alert And Notification HOT 2
- Not working when running as root on a raspberry pi
- WebSocket connection to '<URL>' failed: WebSocket is closed before the connection is established. HOT 2
- Doesn't play well with vitest
- Dark UI proposal
- Add new field for report
- cannot pass header into endpoint healthcheck
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from express-status-monitor.