Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dependency(deps): update dependency engine.io to v6.4.2 [security] #26664

Merged
merged 2 commits into from
May 4, 2023

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 4, 2023

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
engine.io 6.2.1 -> 6.4.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-31125

Impact

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

TypeError: Cannot read properties of undefined (reading 'handlesUpgrades')
    at Server.onWebSocket (build/server.js:515:67)

This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.

Patches

A fix has been released today (2023/05/02): 6.4.2

This bug was introduced in version 5.1.0 and included in version 4.1.0 of the socket.io parent package. Older versions are not impacted.

For socket.io users:

Version range engine.io version Needs minor update?
socket.io@4.6.x ~6.4.0 npm audit fix should be sufficient
socket.io@4.5.x ~6.2.0 Please upgrade to socket.io@4.6.x
socket.io@4.4.x ~6.1.0 Please upgrade to socket.io@4.6.x
socket.io@4.3.x ~6.0.0 Please upgrade to socket.io@4.6.x
socket.io@4.2.x ~5.2.0 Please upgrade to socket.io@4.6.x
socket.io@4.1.x ~5.1.1 Please upgrade to socket.io@4.6.x
socket.io@4.0.x ~5.0.0 Not impacted
socket.io@3.1.x ~4.1.0 Not impacted
socket.io@3.0.x ~4.0.0 Not impacted
socket.io@2.5.0 ~3.6.0 Not impacted
socket.io@2.4.x and below ~3.5.0 Not impacted

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Thanks to Thomas Rinsma from Codean for the responsible disclosure.


Release Notes

socketio/engine.io

v6.4.2

Compare Source

⚠️ This release contains an important security fix ⚠️

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

TypeError: Cannot read properties of undefined (reading 'handlesUpgrades')
  at Server.onWebSocket (build/server.js:515:67)

Please upgrade as soon as possible.

Bug Fixes
  • include error handling for Express middlewares (#​674) (9395782)
  • prevent crash when provided with an invalid query param (fc480b4)
  • typings: make clientsCount public (#​675) (bd6d471)
  • uws: prevent crash when using with middlewares (8b22162)
Credits

Huge thanks to @​tyilo and @​cieldeville for helping!

Dependencies

v6.4.1

Compare Source

This release contains 6e78489, which exports the BaseServer class in order to restore the compatibility with the nodenext module resolution strategy of TypeScript.

Reference: https://www.typescriptlang.org/tsconfig/#moduleResolution

Related: https://github.com/socketio/socket.io/issues/4621

Dependencies

v6.4.0

Compare Source

Features
  • add support for Express middlewares (24786e7)

This commit implements middlewares at the Engine.IO level, because Socket.IO middlewares are meant for namespace authorization and are not executed during a classic HTTP request/response cycle.

A workaround was possible by using the allowRequest option and the "headers" event, but this feels way cleaner and works with upgrade requests too.

Syntax:

engine.use((req, res, next) => {
  // do something

  next();
});

// with express-session
import session from "express-session";

engine.use(session({
  secret: "keyboard cat",
  resave: false,
  saveUninitialized: true,
  cookie: { secure: true }
}));

// with helmet
import helmet from "helmet";

engine.use(helmet());
Dependencies

v6.3.1

Compare Source

Dependencies

v6.3.0

Compare Source

Bug Fixes
  • fix the ES module wrapper (ed87609)
  • wait for all packets to be sent before closing the WebSocket connection (a65a047)
Features

The trailing slash which was added by default can now be disabled:

import { Server } from "engine.io";

const server = new Server();

server.attach(httpServer, {
  addTrailingSlash: false
});

In the example above, the clients can omit the trailing slash and use /engine.io instead of /engine.io/.

Performance Improvements
  • add the wsPreEncodedFrame option (5e34722)

This will be used when broadcasting packets at the Socket.IO level.

See also: socketio/socket.io-adapter@5f7b47d

Dependencies

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added renovate Triggered by renovatebot type: dependencies labels May 4, 2023
@cypress
Copy link

cypress bot commented May 4, 2023

6 flaky tests on run #46031 ↗︎

0 5407 96 0 Flakiness 6

Details:

updating changelog
Project: cypress Commit: 2ad4254397
Status: Passed Duration: 13:14 💡
Started: May 4, 2023 9:40 PM Ended: May 4, 2023 9:53 PM
Flakiness  commands/net_stubbing.cy.ts • 1 flaky test • 5x-driver-electron

View Output Video

Test Artifacts
network stubbing > intercepting request > can delay and throttle a StaticResponse Output Video
Flakiness  cypress/cypress.cy.js • 3 flaky tests • 5x-driver-electron

View Output Video

Test Artifacts
... > correctly returns currentRetry Output Video
... > correctly returns currentRetry Output Video
... > correctly returns currentRetry Output Video
Flakiness  project-setup.cy.ts • 2 flaky tests • launchpad-e2e

View Output Video

Test Artifacts
... > shows the configuration setup page when selecting e2e tests Output Screenshots Video
... > can skip setup CT testing for an E2E project Output Screenshots Video

This comment has been generated by cypress-bot as a result of this project's GitHub integration settings.

@nagash77 nagash77 changed the title dependency(deps): update dependency engine.io to v6.4.2 [security] chore(deps): update dependency engine.io to v6.4.2 [security] May 4, 2023
@renovate renovate bot changed the title chore(deps): update dependency engine.io to v6.4.2 [security] dependency(deps): update dependency engine.io to v6.4.2 [security] May 4, 2023
@renovate renovate bot force-pushed the renovate/npm-engine.io-vulnerability branch from 965eed4 to ddf887a Compare May 4, 2023 14:02
@nagash77 nagash77 changed the title dependency(deps): update dependency engine.io to v6.4.2 [security] chore(deps): update dependency engine.io to v6.4.2 [security] May 4, 2023
@renovate renovate bot changed the title chore(deps): update dependency engine.io to v6.4.2 [security] dependency(deps): update dependency engine.io to v6.4.2 [security] May 4, 2023
@renovate
Copy link
Contributor Author

renovate bot commented May 4, 2023

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

Warning: custom changes will be lost.

@mjhenkes mjhenkes merged commit 1d7ae10 into develop May 4, 2023
@mjhenkes mjhenkes deleted the renovate/npm-engine.io-vulnerability branch May 4, 2023 22:58
@cypress-bot
Copy link
Contributor

cypress-bot bot commented May 12, 2023

Released in 12.12.0.

This comment thread has been locked. If you are still experiencing this issue after upgrading to
Cypress v12.12.0, please open a new issue.

@cypress-bot cypress-bot bot locked as resolved and limited conversation to collaborators May 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
renovate Triggered by renovatebot type: dependencies
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants