Update package to remove the high severity vulnerability introduced in your package

[paimon0715]

Hi, @shakyShane,

Issue Description

I noticed that [email protected] transitively depends on [email protected]. Unfortunately,there is a high severity vulnerability CVE-2020-36048 detected in engine.io (versions:<4.0.0) :https://snyk.io/vuln/SNYK-JS-ENGINEIO-1056749
As you can see, the above vulnerable package is referenced by [email protected] via:
[email protected] ➔ [email protected] ➔ [email protected]

As far as I know,[email protected] (142,176 downloads per week) is referenced by 2,131 downstream projects (e.g., @nguniversal/builders 12.1.0 (latest version), lite-server 2.6.1 (latest version), @11ty/eleventy 0.12.1 (latest version), @frctl/fractal 1.5.8 (latest version)), the vulnerability CVE-2020-36048 can be propagated into these downstream projects and expose security threats to them via the following package dependency paths:

1. @11ty/[email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected]
2. @angular-custom-builders/[email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected]
3. @bigcommerce/[email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected]
   ......

Therefore, if [email protected].* removes the vulnerable package from the above version, then its fixed version can help downstream users aviod this vulnerability.

Given the large number of downstream users, is it possible to update dependency to remove the vulnerability from [email protected]?

Fixing suggestions

In [email protected].*, you can simply try to perform the following upgrade :
socket.io 2.4.0 ➔ ^3.0.0;

Note:
[email protected](>=3.0.0-rc1) directly depends on [email protected] which has fixed the vulnerability (CVE-2020-36048).
Of course, your are welcome to share other ways to resolve the issue with me.^_^

Thank you for your attention to this issue.

Yours sincerely,
Paimon

[lachieh]

Duplicate issue. See #1850 for original.