RafalWilinski / express-status-monitor

🚀 Realtime Monitoring solution for Node.js/Express.js apps, inspired by status.github.com, sponsored by https://dynobase.dev
https://dynobase.dev/
MIT License
3.61k stars 255 forks source link

[Snyk] Security upgrade socket.io from 4.4.1 to 4.6.0 #209

Open snyk-bot opened 1 year ago

snyk-bot commented 1 year ago

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 661/1000
Why? Recently disclosed, Has a fix available, CVSS 7.5
Uncaught Exception
SNYK-JS-ENGINEIO-5496331
No No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: socket.io The new version differs by 60 commits.
  • a2e5d1f chore(release): 4.6.0
  • d8143cc refactor: do not persist session if connection state recovery if disabled
  • b2dd7cf chore: bump engine.io to version 6.4.0
  • 3734b74 revert: feat: expose current offset to allow deduplication
  • 8aa9499 feat: add description to the disconnecting and disconnect events (#4622)
  • 4e64123 feat: expose current offset to allow deduplication
  • 115a981 refactor: do not include the pid by default
  • 0c0eb00 fix: add timeout method to remote socket (#4558)
  • f8640d9 refactor: export DisconnectReason type
  • 93d446a refactor: add charset when serving the bundle files
  • 184f3cf feat: add promise-based acknowledgements
  • 5d9220b feat: add the ability to clean up empty child namespaces (#4602)
  • 1298839 test: add test with onAnyOutgoing() and binary attachments
  • 6c27b8b test: add test with socket.disconnect(true)
  • f3ada7d fix(typings): properly type emits with timeout
  • a21ad88 docs(changelog): add note about maxHttpBufferSize default value (#4596)
  • 54d5ee0 feat: implement connection state recovery
  • da2b542 perf: precompute the WebSocket frames when broadcasting
  • b7d54db docs: add Rust client implementation (#4592)
  • d4a9b2c refactor(typings): add types for io.engine (#4591)
  • 547c541 chore: add security policy
  • 3b7ced7 chore(release): 4.5.4
  • c00bb95 chore: bump engine.io to version 6.2.1
  • 57e5f25 chore: bump socket.io-parser to version 4.2.1
See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.