Jun 17th, 2016

The Node Security project released an advisory yesterday about the negotiator package, a dependency of Sails, Express, Socket.io, and Connect.

tldr; Everything is cool.

Neither Sails nor Socket.io touches the problematic code paths inside of the negotiatorpackage. And even though the warnings aren’t pertinent in this case, we know they’re still annoying for folks with automated builds, so the core team is working on taking care of them ASAP.

The linked issue from Mike has more information and a blow by blow with an explanation covering each of the places where each of Sails’ dependencies touch negotiator, including:

  • socket.io
  • engine.io
  • accepts
  • serve-index
  • compression
  • and more

For more details, see: https://github.com/balderdashy/sails/issues/3768




We make Sails work and things work with Sails.