New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency socket.io to ^2.5.0 #349

Open

mend-for-github-com wants to merge 1 commit into master from whitesource-remediate/socket.io-2.x

Contributor

mend-for-github-com bot commented Apr 11, 2024

This PR contains the following updates:

Package	Type	Update	Change
socket.io	dependencies	minor	`^2.1.0` -> `^2.5.0`

By merging this PR, the below issues will be automatically resolved and closed:

Severity	CVSS Score	CVE	GitHub Issue
Critical	9.8	CVE-2022-2421	#330
Critical	9.4	CVE-2021-31597	#230
High	8.1	CVE-2020-28502	#162
High	8.1	WS-2020-0443	#218
High	7.5	CVE-2020-36048	#232
High	7.5	CVE-2020-36049	#235
Medium	6.5	CVE-2022-41940	#288
Medium	5.3	CVE-2021-32640	#305
Medium	5.3	CVE-2021-32640	#305
Medium	4.3	CVE-2020-28481	#228

Release Notes

socketio/socket.io (socket.io)

`v2.5.0`

⚠️ WARNING ⚠️

The default value of the maxHttpBufferSize option has been decreased from 100 MB to 1 MB, in order to prevent attacks by denial of service.

Security advisory: GHSA-j4f2-536g-r55m

Bug Fixes

fix race condition in dynamic namespaces (05e1278)
ignore packet received after disconnection (22d4bdf)
only set 'connected' to true after middleware execution (226cc16)
prevent the socket from joining a room after disconnection (f223178)

Dependencies

engine.io@~3.6.0 (socketio/engine.io@3.5.0...3.6.0)
ws@~7.4.2 (no change)

4.5.1 (2022-05-17)

Bug Fixes

forward the local flag to the adapter when using fetchSockets() (30430f0)
typings: add HTTPS server to accepted types (#4351) (9b43c91)

Dependencies

engine.io@~6.2.0 (no change)
ws@~8.2.3 (no change)

`v2.4.1`

Reverts

fix(security): do not allow all origins by default (a169050)

`v2.4.0`

Bug Fixes

security: do not allow all origins by default (f78a575)
properly overwrite the query sent in the handshake (d33a619)

3.0.4 (2020-12-07)

3.0.3 (2020-11-19)

3.0.2 (2020-11-17)

Bug Fixes

merge Engine.IO options (43705d7)

3.0.1 (2020-11-09)

Bug Fixes

export ServerOptions and Namespace types (#3684) (f62f180)
typings: update the signature of the emit method (50671d9)

`v2.3.0`

This release mainly contains a bump of the engine.io and ws packages, but no additional features.

`v2.2.0`

Features

add cache-control header when serving the client source (#2907) (b00ae50)

Bug fixes

throw an error when trying to access the clients of a dynamic namespace (#3355) (a7fbd1a)

`v2.1.1`

Features

add local flag to the socket object (#3129) (1decae3)

socket.local.to('room101').emit(/* */);

If you want to rebase/retry this PR, check this box


          Update dependency socket.io to ^2.5.0

a2206d1

mend-for-github-com bot added the security fix label

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment