[Snyk] Upgrade engine.io from 3.1.4 to 3.6.0

[TwistedHardware]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade engine.io from 3.1.4 to 3.6.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 11 versions ahead of your current version.
• The recommended version was released 5 months ago, on 2022-06-06.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Access Restriction Bypass SNYK-JS-XMLHTTPREQUESTSSL-1255647	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Proof of Concept
	Arbitrary Code Injection SNYK-JS-XMLHTTPREQUESTSSL-1082936	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Proof of Concept
	Denial of Service (DoS) npm:ws:20171108	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Mature
	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: engine.io

• 3.6.0 - 2022-06-06
  

  Bug Fixes

  • add extension in the package.json main entry (#608) (3ad0567)
  • do not reset the ping timer after upgrade (1f5d469)

  Features

  • decrease the default value of maxHttpBufferSize (58e274c)

  This change reduces the default value from 100 mb to a more sane 1 mb.

  This helps protect the server against denial of service attacks by malicious clients sending huge amounts of data.

  See also: GHSA-j4f2-536g-r55m

  • increase the default value of pingTimeout (f55a79a)

  Links

  • Diff: 3.5.0...3.6.0
  • Client release: -
  • ws version: ~7.4.2
• 3.5.0 - 2020-12-30
• 3.4.2 - 2020-06-04
• 3.4.1 - 2020-04-17
• 3.4.0 - 2019-09-13
• 3.3.2 - 2018-11-29
• 3.3.1 - 2018-11-19
• 3.3.0 - 2018-11-07
• 3.2.1 - 2018-11-02
• 3.2.0 - 2018-02-28
• 3.1.5 - 2018-02-18
• 3.1.4 - 2017-11-12

from engine.io GitHub release notes

Commit messages

Package name: engine.io

• f55a79a feat: increase the default value of pingTimeout
• 1f5d469 fix: do not reset the ping timer after upgrade
• 3ad0567 fix: add extension in the package.json main entry (#608)
• 58e274c feat: decrease the default value of maxHttpBufferSize
• b9dee7b chore(release): 3.5.0
• 19cc582 feat: add support for all cookie options
• 5ad2736 feat: disable perMessageDeflate by default
• f632269 chore: bump ws version
• ddb80a2 ci: migrate to GitHub Actions
• b68ed6f chore: release 3.4.2
• 85e544a fix: remove explicit require of uws
• e488120 chore: release 3.4.1
• 001ca62 fix: use SameSite=Strict by default
• da851ec fix: ignore errors when forcefully closing the socket
• 21ef608 chore: add minimum version requirement in the package.json file
• ecfcc69 [chore] Release 3.4.0
• 7bf7581 [chore] Bump engine.io-parser to version 2.2.0
• c471e03 [chore] Bump `ws` to latest version (#587)
• c144895 [feat] add additional debug messages (#586)
• a967626 [chore] Bump debug to version 4.1.0 (#581)
• 5bbbfe2 [ci] remove Node.js 4 and 6 from the build matrix
• ad844f4 [fix] Deprecated Buffer usage in dependency (#585)
• cb0ac6f [chore] Release 3.3.2
• ec4e12a [revert] Allow configuration of `Access-Control-Allow-Origin` value (#511)

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs