-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update dependency socket.io to v2 [SECURITY] #7
Open
renovate
wants to merge
1
commit into
master
Choose a base branch
from
renovate/npm-socket.io-vulnerability
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
b6bf794
to
e9d504a
Compare
e9d504a
to
6d5cb92
Compare
6d5cb92
to
5607950
Compare
5607950
to
6cbb2e2
Compare
6cbb2e2
to
68399b0
Compare
68399b0
to
a64e034
Compare
a64e034
to
6311ef2
Compare
8704126
to
9f25bbf
Compare
9f25bbf
to
c177ad0
Compare
c177ad0
to
f2e500a
Compare
f2e500a
to
560f229
Compare
560f229
to
705f952
Compare
0dbfe92
to
a60725c
Compare
e931bb3
to
61d4b33
Compare
61d4b33
to
d0ab6fa
Compare
d0ab6fa
to
d7a8492
Compare
d7a8492
to
c585aeb
Compare
d175b28
to
a249754
Compare
a249754
to
af5df12
Compare
af5df12
to
323c264
Compare
323c264
to
5476101
Compare
5476101
to
beda3ef
Compare
beda3ef
to
845c13d
Compare
845c13d
to
eaaccc0
Compare
eaaccc0
to
dbb3c30
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
None yet
0 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^1.3.5
->^2.5.1
GitHub Vulnerability Alerts
CVE-2020-28481
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
CVE-2024-38355
Impact
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
Affected versions
4.6.2...latest
3.0.0...4.6.1
socket.io@4.6.2
(at least)2.3.0...2.5.0
socket.io@2.5.1
Patches
This issue is fixed by socketio/socket.io@15af22f, included in
socket.io@4.6.2
(released in May 2023).The fix was backported in the 2.x branch today: socketio/socket.io@d30630b
Workarounds
As a workaround for the affected versions of the
socket.io
package, you can attach a listener for the "error" event:For more information
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.
References
Release Notes
socketio/socket.io (socket.io)
v2.5.1
Compare Source
Bug Fixes
Links:
-
~3.6.0
(no change)~7.5.10
v2.5.0
Compare Source
The default value of the
maxHttpBufferSize
option has been decreased from 100 MB to 1 MB, in order to prevent attacks by denial of service.Security advisory: GHSA-j4f2-536g-r55m
Bug Fixes
Dependencies
engine.io@~3.6.0
(socketio/engine.io@3.5.0...3.6.0)ws@~7.4.2
(no change)4.5.1 (2022-05-17)
Bug Fixes
Dependencies
engine.io@~6.2.0
(no change)ws@~8.2.3
(no change)v2.4.1
Compare Source
Reverts
v2.4.0
Compare Source
Bug Fixes
3.0.4 (2020-12-07)
3.0.3 (2020-11-19)
3.0.2 (2020-11-17)
Bug Fixes
3.0.1 (2020-11-09)
Bug Fixes
v2.3.0
Compare Source
This release mainly contains a bump of the
engine.io
andws
packages, but no additional features.v2.2.0
Compare Source
Features
Bug fixes
v2.1.1
Compare Source
Features
v2.1.0
Compare Source
Features
Bug fixes
Important note⚠️ from Engine.IO 3.2.0 release
There are two non-breaking changes that are somehow quite important:
ws
was reverted as the default wsEngine (https://github.com/socketio/engine.io/pull/550), as there was several blocking issues withuws
. You can still useuws
by runningnpm install uws --save
in your project and using thewsEngine
option:pingTimeout
now defaults to 5 seconds (instead of 60 seconds): https://github.com/socketio/engine.io/pull/551v2.0.4
Compare Source
Bug fixes
Links:
engine.io
: -ws
: -v2.0.3
Compare Source
Bug fixes
Links:
engine.io
: -ws
: -v2.0.2
Compare Source
Bug fixes
Links:
engine.io
: -ws
: -v2.0.1
Compare Source
Bug fixes
- update path of client file (#2934)
Links:
engine.io
: -ws
: -v2.0.0
Compare Source
This major release brings several performance improvements:
uws is now the default Websocket engine. It should bring significant improvement in performance (particularly in terms of memory consumption) (https://github.com/socketio/engine.io/releases/tag/2.0.0)
the Engine.IO and Socket.IO handshake packets were merged, reducing the number of roundtrips necessary to establish a connection. (#2833)
it is now possible to provide a custom parser according to the needs of your application (#2829). Please take a look at the example for more information.
Please note that this release is not backward-compatible, due to:
Please also note that if you are using a self-signed certificate,
rejectUnauthorized
now defaults totrue
(https://github.com/socketio/engine.io-client/pull/558).Finally, the API documentation is now in the repository (here), and the content of the website here. Do not hesitate if you see something wrong or missing!
The full list of changes:
local
flag (#2816)clients
method in the API documentation (#2812)Besides, we are proud to announce that Socket.IO is now a part of open collective: https://opencollective.com/socketio. More on that later.
v1.7.4
Compare Source
v1.7.3
Compare Source
v1.7.2
Compare Source
v1.7.1
Compare Source
(following
socket.io-client
update)v1.7.0
Compare Source
local
flag (#2628)v1.6.0
Compare Source
v1.5.1
Compare Source
client
in test script (#2731)v1.5.0
Compare Source
v1.4.8
Compare Source
v1.4.7
Compare Source
v1.4.6
Compare Source
v1.4.5
Compare Source
v1.4.4
Compare Source
v1.4.3
Compare Source
v1.4.2
Compare Source
v1.4.1
Compare Source
v1.4.0
Compare Source
v1.3.7
Compare Source
v1.3.6
Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.