[Snyk] Upgrade socket.io from 2.2.0 to 2.5.0

[Bhaviktutorials]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade socket.io from 2.2.0 to 2.5.0.

 :information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

- The recommended version is **4 versions** ahead of your current version. - The recommended version was released **3 months ago**, on 2022-06-26. The recommended version fixes: Severity | Issue | PriorityScore (*) | Exploit Maturity | :-------------------------:|:-------------------------|-------------------------|:------------------------- | Access Restriction Bypass
[SNYK-JS-XMLHTTPREQUESTSSL-1255647](https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1255647) | **472/1000**
**Why?** Proof of Concept exploit, CVSS 7.3 | Proof of Concept | Arbitrary Code Injection
[SNYK-JS-XMLHTTPREQUESTSSL-1082936](https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936) | **472/1000**
**Why?** Proof of Concept exploit, CVSS 7.3 | Proof of Concept | Denial of Service (DoS)
[SNYK-JS-SOCKETIOPARSER-1056752](https://snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-1056752) | **472/1000**
**Why?** Proof of Concept exploit, CVSS 7.3 | Proof of Concept | Regular Expression Denial of Service (ReDoS)
[SNYK-JS-WS-1296835](https://snyk.io/vuln/SNYK-JS-WS-1296835) | **472/1000**
**Why?** Proof of Concept exploit, CVSS 7.3 | Proof of Concept | Insecure Defaults
[SNYK-JS-SOCKETIO-1024859](https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859) | **472/1000**
**Why?** Proof of Concept exploit, CVSS 7.3 | Proof of Concept (*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: socket.io

• 2.5.0 - 2022-06-26
  

  ⚠️ WARNING ⚠️

  The default value of the maxHttpBufferSize option has been decreased from 100 MB to 1 MB, in order to prevent attacks by denial of service.

  Security advisory: GHSA-j4f2-536g-r55m

  Bug Fixes

  • fix race condition in dynamic namespaces (05e1278)
  • ignore packet received after disconnection (22d4bdf)
  • only set 'connected' to true after middleware execution (226cc16)
  • prevent the socket from joining a room after disconnection (f223178)

  Links:

  • Diff: 2.4.1...2.5.0
  • Client release: 2.5.0
  • engine.io version: ~3.6.0 (diff)
  • ws version: ~7.4.2

    </li>
    <li>
      <b>2.4.1</b> - 2021-01-07
    </li>
    <li>
      <b>2.4.0</b> - 2021-01-04
    </li>
    <li>
      <b>2.3.0</b> - 2019-09-20
    </li>
    <li>
      <b>2.2.0</b> - 2018-11-28
    </li>
  </ul>
  from <a href="https://snyk.io/redirect/github/socketio/socket.io/releases">socket.io GitHub release notes</a>

Commit messages

Package name: socket.io

• baa6804 chore(release): 2.5.0
• f223178 fix: prevent the socket from joining a room after disconnection
• 226cc16 fix: only set 'connected' to true after middleware execution
• 05e1278 fix: fix race condition in dynamic namespaces
• 22d4bdf fix: ignore packet received after disconnection
• dfded53 chore: update engine.io version to 3.6.0
• e6b8697 chore(release): 2.4.1
• a169050 revert: fix(security): do not allow all origins by default
• 873fdc5 chore(release): 2.4.0
• f78a575 fix(security): do not allow all origins by default
• d33a619 fix: properly overwrite the query sent in the handshake
• 3951a79 chore: bump engine.io version
• 6fa026f ci: migrate to GitHub Actions
• 47161a6 [chore] Release 2.3.0
• cf39362 [chore] Bump socket.io-parser to version 3.4.0
• 4d01b2c test: remove deprecated Buffer usage (#3481)
• 8227192 [docs] Fix the default value of the 'origins' parameter (#3464)
• 1150eb5 [chore] Bump engine.io to version 3.4.0
• 9c1e73c [chore] Update the license of the chat example (#3410)

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs