Update socket.io-client to 2.4.0

[lamosty]

Should fix the security issue from p3btAN-1qI-p2.

Testing instructions

npm install and npm start, open localhost:9000 and https://hud-staging.happychat.io/ and try to chat with yourself.

[lamosty]

I did a little bit more digging into the npm packages dependency tree of the app and it looks like the only package which depends on the problematic xmlhttprequest-ssl is engine.io-client:

When I checked out their GH repo for more info, I found this CHANGELOG commit with some more info regarding the vulnerability: socketio/engine.io-client@df6a547. In it, they say that:

This release only contains a bump of xmlhttprequest-ssl, in order to fix the following vulnerability: https://www.npmjs.com/advisories/1665.
Please note that engine.io-client was not directly impacted by this vulnerability, since we are always using async: true.

So it looks like we never really had this particular issue in this app! 😌

Should we close this PR then and consider the issue "resolved" or am I making some error in my thinking here? I'm not really a backend node.js dev and learned about the npm list command just recently so I might be missing something.

If we still wanted to upgrade engine.io-client to a version which is using the fixed version of xmlhttprequest-ssl, it looks like we just need to bump socket.io-client to 2.4.0 which should then use engine.io-client 3.5.2 which should in turn use xmlhttprequest-ssl 1.6.2 (the fixed version).

However, as @mattwondra mentioned, that would mean having to deploy happychat-client to all its users and manually smoke-test and watch all of them for issues. Does "Woo and Newspack" mean all Woo sites and all Newspack sites or what exactly would that mean?

I'd personally prefer not upgrading to not cause any deploy issues since I've never worked on this app nor have I ever deployed it to its users so I'm not sure what all and where all I would need to look for issues. But if somebody more familiar with happychat-client is up for it, we "just" need to upgrade socket.io-client to 2.4.0.

/cc @lezama @Automattic/lighthouse

[mattwondra]

Should we close this PR then and consider the issue "resolved" or am I making some error in my thinking here?

AFAIK the steps you took accurately identified the only dependency that would need to be upgraded (engine.io-client via socket.io-client)

However your screenshot was taken after the code in this PR has been applied, so those aren't the actual current package versions. If you rm -r node_modules && npm install here's what you get:

The engine.io-client changelog notes you linked say it always used async: true in v3.5.1. But we're currently at v3.2.1 — we can't trust that assumption for our case. If you were able to audit the code at that version and confirm it also only uses async: true you could be reasonably sure the xmlhttprequest-ssl bug is a nonissue.