:warning: This release contains an important security fix :warning:
A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:
Error: read ECONNRESET
at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
at emitErrorNT (internal/streams/destroy.js:106:8)
at emitErrorCloseNT (internal/streams/destroy.js:74:3)
at processTicksAndRejections (internal/process/task_queues.js:80:21) {
errno: -104,
code: 'ECONNRESET',
syscall: 'read'
}
Please upgrade as soon as possible.
Bug Fixes
catch errors when destroying invalid upgrades (#658) (425e833)
6.2.0
Features
add the "maxPayload" field in the handshake details (088dcb4)
So that clients in HTTP long-polling can decide how many packets they have to send to stay under the maxHttpBufferSize
value.
This is a backward compatible change which should not mandate a new major revision of the protocol (we stay in v4), as
we only add a field in the JSON-encoded handshake data:
Socket.io disconnects / large stats object size: Dramatically reduce the size of the webpack stats object being sent from client (webpack plugin) to server (CLI). Add client error/disconnect information for better future debugging. Original issue: #279 and fix: #281.
Chore: Refactor internal stats consumption to perform inspectpack analysis in the main thread, without using main streams.
Chore: Refactor internal handler in plugin to always be a wrapped function so that we can't accidentally have asynchronous code call the handler function after it is removed / nulled.
Bugfix: Add message counting delayed cleanup in plugin to allow messages to drain in Dashboard. Fixes #294.
This version was pushed to npm by ryan.roemer, a new releaser for webpack-dashboard since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/ElemeFE/vue-amap/network/alerts).
Bumps engine.io to 6.2.1 and updates ancestor dependencies engine.io, karma and webpack-dashboard. These dependencies need to be updated together.
Updates
engine.iofrom 1.8.3 to 6.2.1Release notes
Sourced from engine.io's releases.
... (truncated)
Changelog
Sourced from engine.io's changelog.
... (truncated)
Commits
24b847bchore(release): 6.2.1425e833fix: catch errors when destroying invalid upgrades (#658)99adb00chore(deps): bump xmlhttprequest-ssl and engine.io-client in /examples/latenc...d196f6achore(deps): bump minimatch from 3.0.4 to 3.1.2 (#660)7c1270fchore(deps): bump nanoid from 3.1.25 to 3.3.1 (#659)535a01dci: add Node.js 18 in the test matrix1b71a6fdocs: remove "Vanilla JS" highlight from README (#656)917d1d2refactor: replace deprecatedString.prototype.substr()(#646)020801achore: add changelog for version 3.6.0ed1d6f9test: make test script work on Windows (#643)Updates
karmafrom 1.7.1 to 6.4.1Release notes
Sourced from karma's releases.
... (truncated)
Changelog
Sourced from karma's changelog.
... (truncated)
Commits
0013121chore(release): 6.4.1 [skip ci]63d86befix: pass integrity value84f7cc3chore(release): 6.4.0 [skip ci]f2d0663docs: add integrity parameterdc51a2efeat: support SRI verification of link tags6a54b1cfeat: support SRI verification of script tags5e71cf5chore(release): 6.3.20 [skip ci]e17698ffix: prefer IPv4 addresses when resolving domains60f4f79build: add Node 16 and 18 to the CI matrix6ff5aafchore(release): 6.3.19 [skip ci]Updates
webpack-dashboardfrom 0.2.1 to 3.3.7Release notes
Sourced from webpack-dashboard's releases.
... (truncated)
Changelog
Sourced from webpack-dashboard's changelog.
... (truncated)
Commits
cb315163.3.73370126Changes for 3.3.74802585Bug: TS fixes (#341)8a725a4Merge pull request #340 from FormidableLabs/update-readme-imagesc80df63update readme image urls530a59dCleaned up the issue template (#337)983a80c3.3.6cb0aaa2Changes for 3.3.6ee73086Bug: (#338)1c958c43.3.5Maintainer changes
This version was pushed to npm by ryan.roemer, a new releaser for webpack-dashboard since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/ElemeFE/vue-amap/network/alerts).