SockJS-client is a JavaScript library providing a WebSocket-like object, enabling low-latency, full-duplex, cross-domain communication between browsers and web servers. Versions 1.0.1 and 1.0.2 share the same core functionality and dependencies, including libraries like debug, eventsource, faye-websocket, inherits, json3, and url-parse for robust communication handling. Both versions maintain the same development dependencies, utilizing tools such as browserify, gulp, and mocha for building, testing, and ensuring code quality.
A key consideration for developers is the release date; version 1.0.2 arrived shortly after 1.0.1, suggesting that the newer version addressed a patch or minor update to the previous release. Developers reviewing the library for integration should investigate the changelog between these two versions if possible to understand specific bug fixes, performance improvements, or minor feature adjustments. While the core features are identical, using the newest version of the package is always recommended due to the potential of bug fixes and security updates. The library is licensed under MIT license and maintained with a git repository. Both versions were authored by Bryce Kahle.
All the vulnerabilities related to the version 1.0.2 of the package
Exposure of Sensitive Information in eventsource
When fetching an url with a link to an external site (Redirect), the users Cookies & Autorisation headers are leaked to the third party application. According to the same-origin-policy, the header should be "sanitized."
