Insecure Defaults Allow MITM Over TLS

[cloudlena]

Running nsp check using NSP's command line tool returns the following vulnerability:

┌───────────────┬───────────────────────────────────────────────────────┐
│               │ Insecure Defaults Allow MITM Over TLS                 │
├───────────────┼───────────────────────────────────────────────────────┤
│ Name          │ engine.io-client                                      │
├───────────────┼───────────────────────────────────────────────────────┤
│ Installed     │ 1.6.8                                                 │
├───────────────┼───────────────────────────────────────────────────────┤
│ Vulnerable    │ <= 99.999.99999 || <= 1.6.8                           │
├───────────────┼───────────────────────────────────────────────────────┤
│ Patched       │ None                                                  │
├───────────────┼───────────────────────────────────────────────────────┤
│ Path          │ feathers-socketio@1.4.0 > socket.io@1.4.5 > socket.i… │
├───────────────┼───────────────────────────────────────────────────────┤
│ More Info     │ https://nodesecurity.io/advisories/99                 │
└───────────────┴───────────────────────────────────────────────────────┘

There is no fix yet but we should include the fix as soon as it's released by engine.io-client.

[daffl]

I don't think there is much we can do. Looks like it'll be a patch release so we won't need to change any of the dependencies. I don't know why Socket.io releases take so long. The React Native fix also has been merged almost a month ago and all that needs to be done is a patch release that we're still waiting for.

[daffl]

It looks like this has been fixed now via socketio/engine.io-client@2a7a011