Vulnerability is in socket.io-file. Package is downloaded about 500 times a week. The more popular socket.io is not dependant.