-
-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci(deps): Update dependency socket.io to v2 [SECURITY] #13
Open
renovate
wants to merge
1
commit into
develop
Choose a base branch
from
renovate/npm-socket.io-vulnerability
base: develop
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
April 13, 2021 18:00
7b5e89e
to
5d3c8d1
Compare
renovate
bot
changed the title
ci(deps): Update dependency socket.io to v2 [SECURITY]
ci(deps): Update dependency socket.io [SECURITY]
Apr 13, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
2 times, most recently
from
April 19, 2021 15:18
d509309
to
8eab458
Compare
renovate
bot
changed the title
ci(deps): Update dependency socket.io [SECURITY]
ci(deps): Update dependency socket.io to v2 [SECURITY]
Apr 19, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
April 19, 2021 21:53
8eab458
to
c4e7097
Compare
renovate
bot
changed the title
ci(deps): Update dependency socket.io to v2 [SECURITY]
ci(deps): Update dependency socket.io [SECURITY]
Apr 19, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
April 20, 2021 13:12
c4e7097
to
d5f5194
Compare
renovate
bot
changed the title
ci(deps): Update dependency socket.io [SECURITY]
ci(deps): Update dependency socket.io to v2 [SECURITY]
Apr 20, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
April 22, 2021 11:13
d5f5194
to
5a77e8f
Compare
renovate
bot
changed the title
ci(deps): Update dependency socket.io to v2 [SECURITY]
ci(deps): Update dependency socket.io [SECURITY]
Apr 22, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
April 22, 2021 14:14
5a77e8f
to
2d5f707
Compare
renovate
bot
changed the title
ci(deps): Update dependency socket.io [SECURITY]
ci(deps): Update dependency socket.io to v2 [SECURITY]
Apr 22, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
April 30, 2021 02:23
2d5f707
to
74be335
Compare
renovate
bot
changed the title
ci(deps): Update dependency socket.io to v2 [SECURITY]
ci(deps): Update dependency socket.io [SECURITY]
Apr 30, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
April 30, 2021 04:01
74be335
to
9b22c06
Compare
renovate
bot
changed the title
ci(deps): Update dependency socket.io [SECURITY]
ci(deps): Update dependency socket.io to v2 [SECURITY]
Apr 30, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
May 2, 2021 20:11
9b22c06
to
3cf46aa
Compare
renovate
bot
changed the title
ci(deps): Update dependency socket.io to v2 [SECURITY]
ci(deps): Update dependency socket.io [SECURITY]
May 2, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
May 2, 2021 21:41
3cf46aa
to
a3feb0e
Compare
renovate
bot
changed the title
ci(deps): Update dependency socket.io [SECURITY]
ci(deps): Update dependency socket.io to v2 [SECURITY]
May 2, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
May 6, 2021 23:58
a3feb0e
to
4135796
Compare
renovate
bot
changed the title
ci(deps): Update dependency socket.io to v2 [SECURITY]
ci(deps): Update dependency socket.io [SECURITY]
May 6, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
May 7, 2021 00:39
4135796
to
82084fb
Compare
renovate
bot
changed the title
ci(deps): Update dependency socket.io [SECURITY]
ci(deps): Update dependency socket.io to v2 [SECURITY]
May 7, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
May 7, 2021 13:47
82084fb
to
d901df4
Compare
renovate
bot
changed the title
ci(deps): Update dependency socket.io to v2 [SECURITY]
ci(deps): Update dependency socket.io [SECURITY]
May 7, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
May 7, 2021 16:09
d901df4
to
2746291
Compare
renovate
bot
changed the title
ci(deps): Update dependency socket.io [SECURITY]
ci(deps): Update dependency socket.io to v2 [SECURITY]
May 7, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
April 21, 2024 07:21
0320145
to
edcbeea
Compare
renovate
bot
changed the title
ci(deps): Update dependency socket.io to v2 [SECURITY]
ci(deps): Update dependency socket.io [SECURITY]
Apr 21, 2024
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
April 21, 2024 11:02
edcbeea
to
c5b7e41
Compare
renovate
bot
changed the title
ci(deps): Update dependency socket.io [SECURITY]
ci(deps): Update dependency socket.io to v2 [SECURITY]
Apr 21, 2024
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
April 25, 2024 10:21
c5b7e41
to
e6c9635
Compare
renovate
bot
changed the title
ci(deps): Update dependency socket.io to v2 [SECURITY]
ci(deps): Update dependency socket.io [SECURITY]
Apr 25, 2024
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
April 25, 2024 14:27
e6c9635
to
049ac0a
Compare
renovate
bot
changed the title
ci(deps): Update dependency socket.io [SECURITY]
ci(deps): Update dependency socket.io to v2 [SECURITY]
Apr 25, 2024
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
May 1, 2024 09:03
049ac0a
to
23cbd54
Compare
renovate
bot
changed the title
ci(deps): Update dependency socket.io to v2 [SECURITY]
ci(deps): Update dependency socket.io [SECURITY]
May 1, 2024
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
May 1, 2024 12:18
23cbd54
to
75dba6a
Compare
renovate
bot
changed the title
ci(deps): Update dependency socket.io [SECURITY]
ci(deps): Update dependency socket.io to v2 [SECURITY]
May 1, 2024
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
May 9, 2024 10:41
75dba6a
to
e58027d
Compare
renovate
bot
changed the title
ci(deps): Update dependency socket.io to v2 [SECURITY]
ci(deps): Update dependency socket.io [SECURITY]
May 9, 2024
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
May 9, 2024 12:49
e58027d
to
f44d665
Compare
renovate
bot
changed the title
ci(deps): Update dependency socket.io [SECURITY]
ci(deps): Update dependency socket.io to v2 [SECURITY]
May 9, 2024
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
May 15, 2024 11:17
f44d665
to
541a147
Compare
renovate
bot
changed the title
ci(deps): Update dependency socket.io to v2 [SECURITY]
ci(deps): Update dependency socket.io [SECURITY]
May 15, 2024
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
May 15, 2024 21:10
541a147
to
49e731d
Compare
renovate
bot
changed the title
ci(deps): Update dependency socket.io [SECURITY]
ci(deps): Update dependency socket.io to v2 [SECURITY]
May 15, 2024
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
June 4, 2024 10:15
49e731d
to
b6810a3
Compare
renovate
bot
changed the title
ci(deps): Update dependency socket.io to v2 [SECURITY]
ci(deps): Update dependency socket.io [SECURITY]
Jun 4, 2024
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
June 4, 2024 14:11
b6810a3
to
75ccca1
Compare
renovate
bot
changed the title
ci(deps): Update dependency socket.io [SECURITY]
ci(deps): Update dependency socket.io to v2 [SECURITY]
Jun 4, 2024
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
June 20, 2024 02:09
75ccca1
to
f0182e0
Compare
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
June 27, 2024 07:13
f0182e0
to
e734af1
Compare
renovate
bot
changed the title
ci(deps): Update dependency socket.io to v2 [SECURITY]
ci(deps): Update dependency socket.io [SECURITY]
Jun 27, 2024
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
June 27, 2024 10:18
e734af1
to
4545fef
Compare
renovate
bot
changed the title
ci(deps): Update dependency socket.io [SECURITY]
ci(deps): Update dependency socket.io to v2 [SECURITY]
Jun 27, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
~1.3.7
->~2.5.1
~1.7.4
->~2.5.1
GitHub Vulnerability Alerts
CVE-2020-28481
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
CVE-2024-38355
Impact
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
Affected versions
4.6.2...latest
3.0.0...4.6.1
socket.io@4.6.2
(at least)2.3.0...2.5.0
socket.io@2.5.1
Patches
This issue is fixed by socketio/socket.io@15af22f, included in
socket.io@4.6.2
(released in May 2023).The fix was backported in the 2.x branch today: socketio/socket.io@d30630b
Workarounds
As a workaround for the affected versions of the
socket.io
package, you can attach a listener for the "error" event:For more information
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.
References
Release Notes
socketio/socket.io (socket.io)
v2.5.1
Compare Source
Bug Fixes
Links:
-
~3.6.0
(no change)~7.5.10
v2.5.0
Compare Source
The default value of the
maxHttpBufferSize
option has been decreased from 100 MB to 1 MB, in order to prevent attacks by denial of service.Security advisory: GHSA-j4f2-536g-r55m
Bug Fixes
Dependencies
engine.io@~3.6.0
(socketio/engine.io@3.5.0...3.6.0)ws@~7.4.2
(no change)4.5.1 (2022-05-17)
Bug Fixes
Dependencies
engine.io@~6.2.0
(no change)ws@~8.2.3
(no change)v2.4.1
Compare Source
Reverts
v2.4.0
Compare Source
Bug Fixes
3.0.4 (2020-12-07)
3.0.3 (2020-11-19)
3.0.2 (2020-11-17)
Bug Fixes
3.0.1 (2020-11-09)
Bug Fixes
v2.3.0
Compare Source
This release mainly contains a bump of the
engine.io
andws
packages, but no additional features.v2.2.0
Compare Source
Features
Bug fixes
v2.1.1
Compare Source
Features
v2.1.0
Compare Source
Features
Bug fixes
Important note⚠️ from Engine.IO 3.2.0 release
There are two non-breaking changes that are somehow quite important:
ws
was reverted as the default wsEngine (https://github.com/socketio/engine.io/pull/550), as there was several blocking issues withuws
. You can still useuws
by runningnpm install uws --save
in your project and using thewsEngine
option:pingTimeout
now defaults to 5 seconds (instead of 60 seconds): https://github.com/socketio/engine.io/pull/551v2.0.4
Compare Source
Bug fixes
Links:
engine.io
: -ws
: -v2.0.3
Compare Source
Bug fixes
Links:
engine.io
: -ws
: -v2.0.2
Compare Source
Bug fixes
Links:
engine.io
: -ws
: -v2.0.1
Compare Source
Bug fixes
- update path of client file (#2934)
Links:
engine.io
: -ws
: -v2.0.0
Compare Source
This major release brings several performance improvements:
uws is now the default Websocket engine. It should bring significant improvement in performance (particularly in terms of memory consumption) (https://github.com/socketio/engine.io/releases/tag/2.0.0)
the Engine.IO and Socket.IO handshake packets were merged, reducing the number of roundtrips necessary to establish a connection. (#2833)
it is now possible to provide a custom parser according to the needs of your application (#2829). Please take a look at the example for more information.
Please note that this release is not backward-compatible, due to:
Please also note that if you are using a self-signed certificate,
rejectUnauthorized
now defaults totrue
(https://github.com/socketio/engine.io-client/pull/558).Finally, the API documentation is now in the repository (here), and the content of the website here. Do not hesitate if you see something wrong or missing!
The full list of changes:
local
flag (#2816)clients
method in the API documentation (#2812)Besides, we are proud to announce that Socket.IO is now a part of open collective: https://opencollective.com/socketio. More on that later.
v1.7.4
Compare Source
v1.7.3
Compare Source
v1.7.2
Compare Source
v1.7.1
Compare Source
(following
socket.io-client
update)v1.7.0
Compare Source
local
flag (#2628)v1.6.0
Compare Source
v1.5.1
Compare Source
client
in test script (#2731)v1.5.0
Compare Source
v1.4.8
Compare Source
v1.4.7
Compare Source
v1.4.6
Compare Source
v1.4.5
Compare Source
v1.4.4
Compare Source
v1.4.3
Compare Source
v1.4.2
Compare Source
v1.4.1
Compare Source
v1.4.0
Compare Source
Configuration
📅 Schedule: Branch creation - "" in timezone America/Lima, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Mend Renovate. View repository job log here.