fix(deps): update dependency socket.io to v4.6.2 [security] - abandoned #29712
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.0.1
->4.6.2
GitHub Vulnerability Alerts
GHSA-25hc-qcg6-38wj
Impact
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
Affected versions
4.6.2...latest
3.0.0...4.6.1
socket.io@4.6.2
(at least)2.3.0...2.5.0
socket.io@2.5.1
Patches
This issue is fixed by socketio/socket.io@15af22f, included in
socket.io@4.6.2
(released in May 2023).The fix was backported in the 2.x branch today: socketio/socket.io@d30630b
Workarounds
As a workaround for the affected versions of the
socket.io
package, you can attach a listener for the "error" event:For more information
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.
References
Release Notes
socketio/socket.io (socket.io)
v4.6.2
Compare Source
Bug Fixes
types
condition to the top (#4698) (3d44aae)Dependencies
engine.io@~6.4.2
(diff)ws@~8.11.0
(no change)v4.6.1
Compare Source
Bug Fixes
Dependencies
engine.io@~6.4.1
(diff)ws@~8.11.0
(no change)v4.6.0
Compare Source
Bug Fixes
Features
Promise-based acknowledgements
This commit adds some syntactic sugar around acknowledgements:
emitWithAck()
serverSideEmitWithAck()
Added in 184f3cf.
Connection state recovery
This feature allows a client to reconnect after a temporary disconnection and restore its state:
Usage:
Here's how it works:
id
attribute, which is public and can be freely shared)The in-memory adapter already supports this feature, and we will soon update the Postgres and MongoDB adapters. We will also create a new adapter based on Redis Streams, which will support this feature.
Added in 54d5ee0.
Compatibility (for real) with Express middlewares
This feature implements middlewares at the Engine.IO level, because Socket.IO middlewares are meant for namespace authorization and are not executed during a classic HTTP request/response cycle.
Syntax:
A workaround was possible by using the allowRequest option and the "headers" event, but this feels way cleaner and works with upgrade requests too.
Added in 24786e7.
Error details in the disconnecting and disconnect events
The
disconnect
event will now contain additional details about the disconnection reason.Added in 8aa9499.
Automatic removal of empty child namespaces
This commit adds a new option, "cleanupEmptyChildNamespaces". With this option enabled (disabled by default), when a socket disconnects from a dynamic namespace and if there are no other sockets connected to it then the namespace will be cleaned up and its adapter will be closed.
Added in 5d9220b.
A new "addTrailingSlash" option
The trailing slash which was added by default can now be disabled:
In the example above, the clients can omit the trailing slash and use
/socket.io
instead of/socket.io/
.Added in d0fd474.
Performance Improvements
Dependencies
engine.io@~6.4.0
(socketio/engine.io@6.2.1...6.4.0)ws@~8.11.0
(websockets/ws@8.2.3...8.11.0)v4.5.4
Compare Source
This release contains a bump of:
engine.io
in order to fix CVE-2022-41940socket.io-parser
in order to fix CVE-2022-2421.Dependencies
engine.io@~6.2.1
(diff)ws@~8.2.3
(no change)v4.5.3
Compare Source
Bug Fixes
Dependencies
engine.io@~6.2.0
(no change)ws@~8.2.3
(no change)v4.5.2
Compare Source
Bug Fixes
Dependencies
engine.io@~6.2.0
(no change)ws@~8.2.3
(no change)v4.5.1
Compare Source
Bug Fixes
Dependencies
engine.io@~6.2.0
(no change)ws@~8.2.3
(no change)v4.5.0
Compare Source
Bug Fixes
Features
Catch-all listeners for outgoing packets
This is similar to
onAny()
, but for outgoing packets.Syntax:
Added in 531104d.
Broadcast and expect multiple acknowledgements
Syntax:
Added in 8b20457.
maxHttpBufferSize
value negotiationA "maxPayload" field is now included in the Engine.IO handshake, so that clients in HTTP long-polling can decide how many packets they have to send to stay under the
maxHttpBufferSize
value.This is a backward compatible change which should not mandate a new major revision of the protocol (we stay in v4), as we only add a field in the JSON-encoded handshake data:
Added in 088dcb4.
Dependencies
engine.io@~6.2.0
(socketio/engine.io@6.1.0...6.2.0)ws@~8.2.3
(no change)4.4.1 (2022-01-06)
Bug Fixes
RemoteSocket.data
type safe (#4234) (770ee59)SocketData
type to custom namespaces (#4233) (f2b8de7)v4.4.1
Compare Source
Bug Fixes
RemoteSocket.data
type safe (#4234) (770ee59)SocketData
type to custom namespaces (#4233) (f2b8de7)v4.4.0
Compare Source
Bug Fixes
Features
socket.data
(#4159) (fe8730c)4.3.2 (2021-11-08)
Bug Fixes
4.3.1 (2021-10-16)
Bug Fixes
v4.3.2
Compare Source
Bug Fixes
v4.3.1
Compare Source
Bug Fixes
v4.3.0
Compare Source
Bug Fixes
Features
v4.2.0
Compare Source
Bug Fixes
Features
4.1.3 (2021-07-10)
Bug Fixes
4.1.2 (2021-05-17)
Bug Fixes
4.1.1 (2021-05-11)
Bug Fixes
v4.1.3
Compare Source
Bug Fixes
v4.1.2
Compare Source
Bug Fixes
v4.1.1
Compare Source
Bug Fixes
v4.1.0
Compare Source
Features
engine.io
)engine.io
)Performance Improvements
4.0.2 (2021-05-06)
Bug Fixes
4.0.1 (2021-03-31)
Bug Fixes
v4.0.2
Compare Source
Bug Fixes
Configuration
📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.