The Node Security project released an advisory yesterday about the
negotiator package, a dependency of Sails, Express, Socket.io, and Connect.
tldr; Everything is cool.
Neither Sails nor Socket.io touches the problematic code paths inside of the
negotiatorpackage. And even though the warnings aren’t pertinent in this case, we know they’re still annoying for folks with automated builds, so the core team is working on taking care of them ASAP.
- and more
For more details, see: https://github.com/balderdashy/sails/issues/3768