Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: bumps ws to version 8.17.1 to fix CVE-2024-37890 #5052

Merged
merged 1 commit into from
Jun 18, 2024
Merged

fix: bumps ws to version 8.17.1 to fix CVE-2024-37890 #5052

merged 1 commit into from
Jun 18, 2024

Conversation

sordu
Copy link
Contributor

@sordu sordu commented Jun 18, 2024
edited
Loading

refs:

The kind of change this PR does introduce

  • a bug fix
  • a new feature
  • an update to the documentation
  • a code change that improves performance
  • other

Current behavior

Open CVE blocks auditing: #5051

New behavior

Bumps the websockt package to remove security issues

Other information (e.g. related issues)

@darrachequesne darrachequesne merged commit fb5904e into socketio:main Jun 18, 2024
@darrachequesne
Copy link
Member

@sordu thanks!

@sordu
Copy link
Contributor Author

sordu commented Jun 18, 2024

@darrachequesne can we have a PATCH version release with this please? :)

@darrachequesne
Copy link
Member

@sordu the current version imports "engine.io": "~6.5.2", so the latest version of ws should be properly installed when running npm update. Isn't that the case for you?

@sordu
Copy link
Contributor Author

sordu commented Jun 18, 2024

Thank you!

@darrachequesne
Copy link
Member

@andrewaustin no, the lock file is only for local development (when you clone the socket.io repository), not when you install it from npm. Running npm update in your project should be sufficient.

@andrewaustin
Copy link

andrewaustin commented Jun 18, 2024
edited
Loading

@darrachequesne npm update was not sufficient. Was able to reproduce multiple people on my team. npm 10.7.0. Not entirely sure the reason but npm remove and then npm install fixed it. Didn't seem to be a local issue because removing our pakage-lock.json and our node_modules did not resolve the issue.

Probably not worth you wasting any time on, since likely some npm, and package-lock weirdness.

jhuckaby added a commit to jhuckaby/Cronicle that referenced this pull request Jun 22, 2024
@jhuckaby
Version 0.9.53
eb2808f 
- Bump `socket.io` and `socket.io-client` to 4.7.5 for vuln fix.
- socketio/socket.io#5052
- https://www.tenable.com/cve/CVE-2024-37890
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@sordu @darrachequesne @andrewaustin