Jun 17th, 2016

The Node Security project released an advisory yesterday about the negotiator package, a dependency of Sails, Express, Socket.io, and Connect.

tldr; Everything is cool.

Neither Sails nor Socket.io touches the problematic code paths inside of the negotiatorpackage. And even though the warnings aren’t pertinent in this case, we know they’re still annoying for folks with automated builds, so the core team is working on taking care of them ASAP.

The linked issue from Mike has more information and a blow by blow with an explanation covering each of the places where each of Sails’ dependencies touch negotiator, including:

  • socket.io
  • engine.io
  • accepts
  • serve-index
  • compression
  • and more

For more details, see: https://github.com/balderdashy/sails/issues/3768

Written by

We make Sails work and things work with Sails.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store