Update dependency socket.io to v2.5.1 [SECURITY] #10
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.0.2
->2.5.1
GitHub Vulnerability Alerts
CVE-2020-28481
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
CVE-2024-38355
Impact
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
Affected versions
4.6.2...latest
3.0.0...4.6.1
[email protected]
(at least)2.3.0...2.5.0
[email protected]
Patches
This issue is fixed by socketio/socket.io@15af22f, included in
[email protected]
(released in May 2023).The fix was backported in the 2.x branch today: socketio/socket.io@d30630b
Workarounds
As a workaround for the affected versions of the
socket.io
package, you can attach a listener for the "error" event:For more information
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.
References
Release Notes
socketio/socket.io (socket.io)
v2.5.1
Compare Source
Bug Fixes
Links:
-
~3.6.0
(no change)~7.5.10
v2.5.0
Compare Source
The default value of the
maxHttpBufferSize
option has been decreased from 100 MB to 1 MB, in order to prevent attacks by denial of service.Security advisory: GHSA-j4f2-536g-r55m
Bug Fixes
Links:
~3.6.0
(diff)~7.4.2
v2.4.1
Compare Source
Reverts
v2.4.0
Compare Source
Related blog post: https://socket.io/blog/socket-io-2-4-0/
Features (from Engine.IO)
Bug Fixes
Previously, CORS was enabled by default, which meant that a Socket.IO server sent the necessary CORS headers (
Access-Control-Allow-xxx
) to any domain. This will not be the case anymore, and you now have to explicitly enable it.Please note that you are not impacted if:
origins
option to restrict the list of allowed domainsThis commit also removes the support for '*' matchers and protocol-less URL:
To restore the previous behavior (please use with caution):
See also:
Thanks a lot to @ni8walk3r for the security report.
Links:
~3.5.0
~7.4.2
v2.3.0
Compare Source
This release mainly contains a bump of the
engine.io
andws
packages, but no additional features.Links:
~3.4.0
(diff: socketio/engine.io@3.3.1...3.4.2)^7.1.2
(diff: websockets/ws@6.1.2...7.3.1)v2.2.0
Compare Source
Features
Bug fixes
Links
~3.3.1
(diff: socketio/engine.io@3.2.0...3.3.1)~6.1.0
(diff: websockets/ws@3.3.1...6.1.2)v2.1.1
Compare Source
Features
Bug fixes
(client) fire an error event on middleware failure for non-root namespace (https://github.com/socketio/socket.io-client/pull/1202)
Links:
~3.2.0
~3.3.1
v2.1.0
Compare Source
Features
Bug fixes
Important note⚠️ from Engine.IO 3.2.0 release
There are two non-breaking changes that are somehow quite important:
ws
was reverted as the default wsEngine (https://github.com/socketio/engine.io/pull/550), as there was several blocking issues withuws
. You can still useuws
by runningnpm install uws --save
in your project and using thewsEngine
option:pingTimeout
now defaults to 5 seconds (instead of 60 seconds): https://github.com/socketio/engine.io/pull/551Links:
~3.2.0
(diff: socketio/engine.io@3.1.0...3.2.0)~3.3.1
(diff: websockets/ws@2.3.1...3.3.1)v2.0.4
Compare Source
Bug fixes
Links:
engine.io
: -ws
: -v2.0.3
Compare Source
Bug fixes
Links:
engine.io
: -ws
: -Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.