Echo Version
2.2.7
Laravel Version
12.44.0
PHP Version
8.5.1
NPM Version
bun 1.3.5
Database Driver & Version
No response
Description
Remove socket.io-client dependency to eliminate security vulnerabilities
Problem
Laravel Echo includes socket.io-client as a hard dependency, causing security audit failures for users exclusively using Pusher/Reverb:
$ bun audit
parseuri <2.0.0
laravel-echo › socket.io-client › engine.io-client › parseuri
moderate: parse-uri Regular expression Denial of Service (ReDoS)
https://github.com/advisories/GHSA-6fx8-h7jm-663j
1 vulnerabilities (1 moderate)
socket.io-client@2.4.0 is old (from 2019?) and uses the vulnerable parseuri@0.0.6. Latest socket.io removed this dep as its unmaintained. Since Laravel Echo is not supporting latest socket.io (and has been said multiple times its not planned or wanted iirc) it would make sense to prefer the Reverb/Pusher era and make a new v3.0.0 release that removes all socket.io related code and deps.
Then those that are still using the outdated socket.io methods can lock to v2.2.7
Impact:
- Security audits fail for projects using only Pusher/Reverb
- CI/CD pipelines with strict audit requirements break/fail
- Forces users to add overrides/resolutions to silence audits
- Creates unnecessary noise in dependency vulnerability tracking
- Adds complexity to Laravel-echo for a driver you dont even want to support.
Work Around to silence:
"peerDependenciesMeta": {
"socket.io-client": {
"optional": true
}
},or
"overrides": {
"socket.io-client": "^4.8.1"
}Steps To Reproduce
$ bun audit
parseuri <2.0.0
laravel-echo › socket.io-client › engine.io-client › parseuri
moderate: parse-uri Regular expression Denial of Service (ReDoS)
https://github.com/advisories/GHSA-6fx8-h7jm-663j
1 vulnerabilities (1 moderate)
Echo Version
2.2.7
Laravel Version
12.44.0
PHP Version
8.5.1
NPM Version
bun 1.3.5
Database Driver & Version
No response
Description
Remove socket.io-client dependency to eliminate security vulnerabilities
Problem
Laravel Echo includes
socket.io-clientas a hard dependency, causing security audit failures for users exclusively using Pusher/Reverb:$ bun audit parseuri <2.0.0 laravel-echo › socket.io-client › engine.io-client › parseuri moderate: parse-uri Regular expression Denial of Service (ReDoS) https://github.com/advisories/GHSA-6fx8-h7jm-663j 1 vulnerabilities (1 moderate)socket.io-client@2.4.0 is old (from 2019?) and uses the vulnerable parseuri@0.0.6. Latest socket.io removed this dep as its unmaintained. Since Laravel Echo is not supporting latest socket.io (and has been said multiple times its not planned or wanted iirc) it would make sense to prefer the Reverb/Pusher era and make a new v3.0.0 release that removes all socket.io related code and deps.
Then those that are still using the outdated socket.io methods can lock to v2.2.7
Impact:
Work Around to silence:
or
Steps To Reproduce
$ bun audit parseuri <2.0.0 laravel-echo › socket.io-client › engine.io-client › parseuri moderate: parse-uri Regular expression Denial of Service (ReDoS) https://github.com/advisories/GHSA-6fx8-h7jm-663j 1 vulnerabilities (1 moderate)