socket.io-parser version update

[andre4i]

Description

https://nvd.nist.gov/vuln/detail/CVE-2022-2421

socket.io-parser used across the framework needs to be on at least 4.2.1

[andre4i]

I think I need your help with this, @tylerbutler. Although I added the override in the package.json file, I can still see the old versions in the lockfile. Not sure if it matters, as the top-level package declaration for the socket.io-parser is not the vulnerable version, but I just want to make sure this is doing what the description wants it to do.

/server/historian/lerna-package-lock.json:

		"@socket.io/redis-emitter": {
			"version": "4.1.1",
			"resolved": "https://registry.npmjs.org/@socket.io/redis-emitter/-/redis-emitter-4.1.1.tgz",
			"integrity": "sha512-N0wfcfcVJvPF1AjIlZ5efxGCz+8uY6qeCwIaRU+QUCNdqvtXQtlC/MtUJQCwVqs1MWP6Bv3TDuZGC04gIj7YuQ==",
			"requires": {
				"debug": "~4.3.1",
				"notepack.io": "~2.1.0",
				"socket.io-parser": "~4.0.4"
			},
			"dependencies": {
				"debug": {
					"version": "4.3.4",
					"resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
					"integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==",
					"requires": {
						"ms": "2.1.2"
					}
				},
				"notepack.io": {
					"version": "2.1.3",
					"resolved": "https://registry.npmjs.org/notepack.io/-/notepack.io-2.1.3.tgz",
					"integrity": "sha512-AgSt+cP5XMooho1Ppn8NB3FFaVWefV+qZoZncYTUSch2GAEwlYLcIIbT5YVkMlFeNHnfwOvc4HDlbvrB5BRxXA=="
				},
				"socket.io-parser": {
					"version": "4.0.5",
					"resolved": "https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-4.0.5.tgz",
					"integrity": "sha512-sNjbT9dX63nqUFIOv95tTVm6elyIU4RvB1m8dOeZt+IgWwcWklFDOdmGcfo3zSiRsnR/3pJkjY5lfoGqEe4Eig==",
					"requires": {
						"@types/component-emitter": "^1.2.10",
						"component-emitter": "~1.3.0",
						"debug": "~4.3.1"
					}
				}
			}

server/historian/package.json:

  "overrides": {
    "awesome-typescript-loader": {
      "socket.io-parser": "^4.2.1"
    }

[tylerbutler]

server/historian/package.json:

  "overrides": {
    "awesome-typescript-loader": {
      "socket.io-parser": "^4.2.1"
    }

Unfortunately I think overrides are not respected by npm, and historian is still using npm. How urgent is this? I have a historian PR that switches to pnpm (#14294). I hope to get merge it in the next couple of days. If this dep could wait it would be a bit easier. If it's urgent, though, I can help more - just let me know.

[andre4i]

Thanks, @tylerbutler. I think it can wait a couple of days, as it will get into the next minor release, anyway. Tinylicious is in the same boat. Do you have plans to move that one as well?

[andre4i]

Hey @tylerbutler, thanks for migrating historian to pnpm. The override works now. Do you have the same plans for t9s? It's the only one left (the other tool - markdown documenter - appears to be honoring the override in npm).

[tylerbutler]

Hey @tylerbutler, thanks for migrating historian to pnpm. The override works now. Do you have the same plans for t9s? It's the only one left (the other tool - markdown documenter - appears to be honoring the override in npm).

@andre4i I have a PR in progress converting tinylicious to pnpm: #14356

[andre4i]

@tylerbutler can you take a look?