Closed renovate[bot] closed 1 year ago
This PR contains the following updates:
3.4.2
3.6.1
A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.
events.js:292 throw er; // Unhandled 'error' event ^ Error: read ECONNRESET at TCP.onStreamRead (internal/stream_base_commons.js:209:20) Emitted 'error' event on Socket instance at: at emitErrorNT (internal/streams/destroy.js:106:8) at emitErrorCloseNT (internal/streams/destroy.js:74:3) at processTicksAndRejections (internal/process/task_queues.js:80:21) { errno: -104, code: 'ECONNRESET', syscall: 'read' }
This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.
engine.io
socket.io
A fix has been released today (2022/11/20):
engine.io@3.x.y
engine.io@6.x.y
6.2.1
For socket.io users:
socket.io@4.5.x
~6.2.0
npm audit fix
socket.io@4.4.x
~6.1.0
socket.io@4.3.x
~6.0.0
socket.io@4.2.x
~5.2.0
socket.io@4.1.x
~5.1.1
socket.io@4.0.x
~5.0.0
socket.io@3.1.x
~4.1.0
socket.io@3.0.x
~4.0.0
socket.io@2.5.0
~3.6.0
socket.io@2.4.x
~3.5.0
There is no known workaround except upgrading to a safe version.
If you have any questions or comments about this advisory:
Thanks to Jonathan Neve for the responsible disclosure.
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
3.4.2->3.6.1GitHub Vulnerability Alerts
CVE-2022-41940
Impact
A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.
This impacts all the users of the
engine.iopackage, including those who uses depending packages likesocket.io.Patches
A fix has been released today (2022/11/20):
engine.io@3.x.y3.6.1engine.io@6.x.y6.2.1For
socket.iousers:engine.ioversionsocket.io@4.5.x~6.2.0npm audit fixshould be sufficientsocket.io@4.4.x~6.1.0socket.io@4.5.xsocket.io@4.3.x~6.0.0socket.io@4.5.xsocket.io@4.2.x~5.2.0socket.io@4.5.xsocket.io@4.1.x~5.1.1socket.io@4.5.xsocket.io@4.0.x~5.0.0socket.io@4.5.xsocket.io@3.1.x~4.1.0socket.io@4.5.x(see here)socket.io@3.0.x~4.0.0socket.io@4.5.x(see here)socket.io@2.5.0~3.6.0npm audit fixshould be sufficientsocket.io@2.4.xand below~3.5.0socket.io@2.5.0Workarounds
There is no known workaround except upgrading to a safe version.
For more information
If you have any questions or comments about this advisory:
engine.ioThanks to Jonathan Neve for the responsible disclosure.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.