-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dependency(deps): update dependency engine.io to v6.4.2 [security] #26664
Conversation
6 flaky tests on run #46031 ↗︎
Details:
commands/net_stubbing.cy.ts • 1 flaky test • 5x-driver-electron
cypress/cypress.cy.js • 3 flaky tests • 5x-driver-electron
project-setup.cy.ts • 2 flaky tests • launchpad-e2e
This comment has been generated by cypress-bot as a result of this project's GitHub integration settings. |
965eed4
to
ddf887a
Compare
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. ⚠ Warning: custom changes will be lost. |
Released in This comment thread has been locked. If you are still experiencing this issue after upgrading to |
This PR contains the following updates:
6.2.1
->6.4.2
GitHub Vulnerability Alerts
CVE-2023-31125
Impact
A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.
This impacts all the users of the
engine.io
package, including those who uses depending packages likesocket.io
.Patches
A fix has been released today (2023/05/02): 6.4.2
This bug was introduced in version 5.1.0 and included in version 4.1.0 of the
socket.io
parent package. Older versions are not impacted.For
socket.io
users:engine.io
versionsocket.io@4.6.x
~6.4.0
npm audit fix
should be sufficientsocket.io@4.5.x
~6.2.0
socket.io@4.6.x
socket.io@4.4.x
~6.1.0
socket.io@4.6.x
socket.io@4.3.x
~6.0.0
socket.io@4.6.x
socket.io@4.2.x
~5.2.0
socket.io@4.6.x
socket.io@4.1.x
~5.1.1
socket.io@4.6.x
socket.io@4.0.x
~5.0.0
socket.io@3.1.x
~4.1.0
socket.io@3.0.x
~4.0.0
socket.io@2.5.0
~3.6.0
socket.io@2.4.x
and below~3.5.0
Workarounds
There is no known workaround except upgrading to a safe version.
For more information
If you have any questions or comments about this advisory:
engine.io
Thanks to Thomas Rinsma from Codean for the responsible disclosure.
Release Notes
socketio/engine.io
v6.4.2
Compare Source
A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:
Please upgrade as soon as possible.
Bug Fixes
Credits
Huge thanks to @tyilo and @cieldeville for helping!
Dependencies
ws@~8.11.0
(no change)v6.4.1
Compare Source
This release contains 6e78489, which exports the
BaseServer
class in order to restore the compatibility with thenodenext
module resolution strategy of TypeScript.Reference: https://www.typescriptlang.org/tsconfig/#moduleResolution
Related: https://github.com/socketio/socket.io/issues/4621
Dependencies
ws@~8.11.0
(no change)v6.4.0
Compare Source
Features
This commit implements middlewares at the Engine.IO level, because Socket.IO middlewares are meant for namespace authorization and are not executed during a classic HTTP request/response cycle.
A workaround was possible by using the allowRequest option and the "headers" event, but this feels way cleaner and works with upgrade requests too.
Syntax:
Dependencies
ws@~8.11.0
(no change)v6.3.1
Compare Source
Dependencies
ws@~8.11.0
(no change)v6.3.0
Compare Source
Bug Fixes
Features
The trailing slash which was added by default can now be disabled:
In the example above, the clients can omit the trailing slash and use
/engine.io
instead of/engine.io/
.Performance Improvements
This will be used when broadcasting packets at the Socket.IO level.
See also: socketio/socket.io-adapter@5f7b47d
Dependencies
ws@~8.11.0
(diff)Configuration
📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.