Hi, @shakyShane,

Issue Description

I noticed that browser-sync@2.27.4 transitively depends on engine.io@3.5.0. Unfortunately,there is a high severity vulnerability CVE-2020-36048 detected in engine.io (versions:<4.0.0) :https://snyk.io/vuln/SNYK-JS-ENGINEIO-1056749
As you can see, the above vulnerable package is referenced by browser-sync@2.27.4 via:
browser-sync@2.27.4 ➔ socket.io@2.4.0 ➔ engine.io@3.5.0

As far as I know,browser-sync@2.27.4 (142,176 downloads per week) is referenced by 2,131 downstream projects (e.g., @nguniversal/builders 12.1.0 (latest version), lite-server 2.6.1 (latest version), @11ty/eleventy 0.12.1 (latest version), @frctl/fractal 1.5.8 (latest version)), the vulnerability CVE-2020-36048 can be propagated into these downstream projects and expose security threats to them via the following package dependency paths:

1. @11ty/eleventy@0.12.1 ➔ browser-sync@2.27.4 ➔ socket.io@2.4.0 ➔ engine.io@3.5.0
2. @angular-custom-builders/lite-serve@0.2.3 ➔ browser-sync@2.27.4 ➔ socket.io@2.4.0 ➔ engine.io@3.5.0
3. @bigcommerce/stencil-cli@3.3.0 ➔ browser-sync@2.27.4 ➔ socket.io@2.4.0 ➔ engine.io@3.5.0
   ......

Therefore, if browser-sync@2.27.* removes the vulnerable package from the above version, then its fixed version can help downstream users aviod this vulnerability.

Given the large number of downstream users, is it possible to update dependency to remove the vulnerability from browser-sync@2.27.4?

Fixing suggestions

In browser-sync@2.27.*, you can simply try to perform the following upgrade :
socket.io 2.4.0 ➔ ^3.0.0;

Note:
socket.io@3.0.0(>=3.0.0-rc1) directly depends on engine.io@4.0.6 which has fixed the vulnerability (CVE-2020-36048).
Of course, your are welcome to share other ways to resolve the issue with me.^_^

Thank you for your attention to this issue.

Yours sincerely,
Paimon