node.js - npm deep audit vulnerability

问题描述

Background:

I wanted to move to Koa from express, however, I also use socket.io for much of my work, and need to share sessions across connection types. Enter koa-socket-session.

When I install this, npm is faithful to warn me that there is one High severity vulnerability:

koa-socket-session > koa-socket.io > socket.io > socket.io-client > engine.io-client > parsejson

Being the nice dev that I am, I decide I'll fork it and submit a patch.

Within a few moments, I realize that the problem is there is a very old version of socket.io required by koa-socket.io. I figure I'll just fix up the breaking changes, submit a patch and be good to go. BUT...

Problem

After I patch that issue, even if there are no breaking changes for the rest of the line up to my project, there ARE major version number changes, so I have to fork each one of those projects to fix the dependency chain.

However, until the previous fork is pulled into the main branch, if it ever even is, I can't patch the next step without pointing the dependency to my own fork and splitting all of their code bases. This could take months, years or maybe never even happen if my pull requests are not accepted.

Solutions?

The only solutions I can come up with are:

1. Build an entirely new chain of dependencies, give them all new names, publish them on npmjs and github and abandon all the current packages.
2. Merge all of the dependencies into one, and publish them as a self-contained package

Clearly, either method would be a complete violation of the community standards, I am REALLY not looking to usurp all these projects and chances are, and my forks would never be used by anyone but me, so I'd fall behind everyone else.

I imagine this problem comes up hundreds of times every day, and with such a tried and true system like npm, there must be a standard way to handle it, but I could not find the "right" solution out there anywhere. What is the correct method to handle this?

标签： node.jsnpmgit-fork