This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to upgrade socket.io from 4.5.0 to 4.7.5.
:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
- The recommended version is **14 versions** ahead of your current version.
- The recommended version was released **25 days ago**, on 2024-03-14.
The recommended version fixes:
Severity | Issue | PriorityScore (*) | Exploit Maturity |
:-------------------------:|:-------------------------|-------------------------|:-------------------------
| Denial of Service (DoS) [SNYK-JS-ENGINEIO-3136336](https://snyk.io/vuln/SNYK-JS-ENGINEIO-3136336) | **375/1000** **Why?** CVSS 7.5 | No Known Exploit
| Uncaught Exception [SNYK-JS-ENGINEIO-5496331](https://snyk.io/vuln/SNYK-JS-ENGINEIO-5496331) | **375/1000** **Why?** CVSS 7.5 | No Known Exploit
| Improper Input Validation [SNYK-JS-SOCKETIOPARSER-3091012](https://snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-3091012) | **375/1000** **Why?** CVSS 7.5 | No Known Exploit
| Denial of Service (DoS) [SNYK-JS-SOCKETIOPARSER-5596892](https://snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-5596892) | **375/1000** **Why?** CVSS 7.5 | No Known Exploit
| Prototype Pollution [SNYK-JS-XMLDOMXMLDOM-3042243](https://snyk.io/vuln/SNYK-JS-XMLDOMXMLDOM-3042243) | **375/1000** **Why?** CVSS 7.5 | No Known Exploit
| Improper Input Validation [SNYK-JS-XMLDOMXMLDOM-3092934](https://snyk.io/vuln/SNYK-JS-XMLDOMXMLDOM-3092934) | **375/1000** **Why?** CVSS 7.5 | Proof of Concept
(*) Note that the real score may have changed since the PR was raised.
Release notes Package name: socket.io
remove the Partial modifier from the socket.data type (#4740) (e5c62ca)
Features
Support for WebTransport
The Socket.IO server can now use WebTransport as the underlying transport.
WebTransport is a web API that uses the HTTP/3 protocol as a bidirectional transport. It's intended for two-way communications between a web client and an HTTP/3 server.
</li>
<li>
<b>4.6.0</b> - <a href="https://snyk.io/redirect/github/socketio/socket.io/releases/tag/4.6.0">2023-02-07</a></br><a href="https://snyk.io/redirect/github/socketio/socket.io/releases/tag/4.6.0"> Read more </a>
</li>
<li>
<b>4.6.0-alpha1</b> - <a href="https://snyk.io/redirect/github/socketio/socket.io/releases/tag/4.6.0-alpha1">2023-01-25</a></br><p>The RemoteSocket interface, which is returned when the client is<br>
connected on another Socket.IO server of the cluster, was lacking the timeout() method.
for (const socket of sockets) {
if (someCondition) {
socket.timeout(1000).emit("some-event", (err) => {
if (err) {
// the client did not acknowledge the event in the given delay
}
});
}
}">
constsockets=awaitio.fetchSockets();
for(constsocketofsockets){if(someCondition){socket.timeout(1000).emit("some-event",(err)=>{if(err){// the client did not acknowledge the event in the given delay}});}}
vercel[bot]
commented
7 months ago
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to upgrade socket.io from 4.5.0 to 4.7.5.
:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.- The recommended version is **14 versions** ahead of your current version. - The recommended version was released **25 days ago**, on 2024-03-14. The recommended version fixes: Severity | Issue | PriorityScore (*) | Exploit Maturity | :-------------------------:|:-------------------------|-------------------------|:-------------------------
[SNYK-JS-ENGINEIO-3136336](https://snyk.io/vuln/SNYK-JS-ENGINEIO-3136336) | **375/1000**
**Why?** CVSS 7.5 | No Known Exploit
[SNYK-JS-ENGINEIO-5496331](https://snyk.io/vuln/SNYK-JS-ENGINEIO-5496331) | **375/1000**
**Why?** CVSS 7.5 | No Known Exploit
[SNYK-JS-SOCKETIOPARSER-3091012](https://snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-3091012) | **375/1000**
**Why?** CVSS 7.5 | No Known Exploit
[SNYK-JS-SOCKETIOPARSER-5596892](https://snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-5596892) | **375/1000**
**Why?** CVSS 7.5 | No Known Exploit
[SNYK-JS-XMLDOMXMLDOM-3042243](https://snyk.io/vuln/SNYK-JS-XMLDOMXMLDOM-3042243) | **375/1000**
**Why?** CVSS 7.5 | No Known Exploit
[SNYK-JS-XMLDOMXMLDOM-3092934](https://snyk.io/vuln/SNYK-JS-XMLDOMXMLDOM-3092934) | **375/1000**
**Why?** CVSS 7.5 | Proof of Concept (*) Note that the real score may have changed since the PR was raised.
Release notes
Package name: socket.io
Bug Fixes
Links
engine.io@~6.5.2(no change)ws@~8.11.0(no change)Bug Fixes
Links
engine.io@~6.5.2(no change)ws@~8.11.0(no change)Bug Fixes
Links
engine.io@~6.5.2(no change)ws@~8.11.0(no change)Bug Fixes
Links
engine.io@~6.5.2(diff)ws@~8.11.0(no change)The client bundle contains a few fixes regarding the WebTransport support.
Links
engine.io@~6.5.0(no change)ws@~8.11.0(no change)Features
Support for WebTransport
The Socket.IO server can now use WebTransport as the underlying transport.
WebTransport is a web API that uses the HTTP/3 protocol as a bidirectional transport. It's intended for two-way communications between a web client and an HTTP/3 server.
References:
Until WebTransport support lands in Node.js, you can use the
@ fails-components/webtransportpackage:<div class="highlight highlight-source-js notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="import { readFileSync } from "fs"; import { createServer } from "https"; import { Server } from "socket.io"; import { Http3Server } from "@ fails-components/webtransport";
// WARNING: the total length of the validity period MUST NOT exceed two weeks (https://w3c.github.io/webtransport/#custom-certificate-requirements) const cert = readFileSync("/path/to/my/cert.pem"); const key = readFileSync("/path/to/my/key.pem");
const httpsServer = createServer({ key, cert });
httpsServer.listen(3000);
const io = new Server(httpsServer, { transports: ["polling", "websocket", "webtransport"] // WebTransport is not enabled by default });
const h3Server = new Http3Server({ port: 3000, host: "0.0.0.0", secret: "changeit", cert, privKey: key, });
(async () => { const stream = await h3Server.sessionStream("/socket.io/"); const sessionReader = stream.getReader();
while (true) { const { done, value } = await sessionReader.read(); if (done) { break; } io.engine.onWebTransportSession(value); } })();
h3Server.startServer();">
Added in 123b68c.
Client bundles with CORS headers
The bundles will now have the right
Access-Control-Allow-xxxheaders.Added in 63f181c.
Links
engine.io@~6.5.0(diff)ws@~8.11.0(no change)typescondition to the top (#4698) (3d44aae)Links
engine.io@~6.4.2(diff)ws@~8.11.0(no change)Links
engine.io@~6.4.1(diff)ws@~8.11.0(no change)connected on another Socket.IO server of the cluster, was lacking the
timeout()method.Syntax:
<div class="highlight highlight-source-js notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="const sockets = await io.fetchSockets();
for (const socket of sockets) { if (someCondition) { socket.timeout(1000).emit("some-event", (err) => { if (err) { // the client did not acknowledge the event in the given delay } }); } }">