search

adobe / aem-angular-editable-components

SPA Angular Editable Components for Adobe Experience Manager
Apache License 2.0
16 stars 11 forks source link

chore(deps): update dependency engine.io to 3.6.1 [security] - autoclosed #95

Closed renovate[bot] closed 1 year ago

renovate[bot] commented 1 year ago

Mend Renovate

This PR contains the following updates:

Package Change
engine.io 3.5.0 -> 3.6.1

GitHub Vulnerability Alerts

CVE-2020-36048

Engine.IO before 4.0.0 and 3.6.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.

CVE-2022-41940

Impact

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

events.js:292
      throw er; // Unhandled 'error' event
      ^

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.

Patches

A fix has been released today (2022/11/20):

Version range Fixed version
engine.io@3.x.y 3.6.1
engine.io@6.x.y 6.2.1

For socket.io users:

Version range engine.io version Needs minor update?
socket.io@4.5.x ~6.2.0 npm audit fix should be sufficient
socket.io@4.4.x ~6.1.0 Please upgrade to socket.io@4.5.x
socket.io@4.3.x ~6.0.0 Please upgrade to socket.io@4.5.x
socket.io@4.2.x ~5.2.0 Please upgrade to socket.io@4.5.x
socket.io@4.1.x ~5.1.1 Please upgrade to socket.io@4.5.x
socket.io@4.0.x ~5.0.0 Please upgrade to socket.io@4.5.x
socket.io@3.1.x ~4.1.0 Please upgrade to socket.io@4.5.x (see here)
socket.io@3.0.x ~4.0.0 Please upgrade to socket.io@4.5.x (see here)
socket.io@2.5.0 ~3.6.0 npm audit fix should be sufficient
socket.io@2.4.x and below ~3.5.0 Please upgrade to socket.io@2.5.0

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Thanks to Jonathan Neve for the responsible disclosure.

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Zurich, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

codecov[bot] commented 1 year ago

Codecov Report

Merging #95 (9b8d110) into master (897cddb) will not change coverage. The diff coverage is n/a.

@@           Coverage Diff           @@
##           master      #95   +/-   ##
=======================================
  Coverage   81.63%   81.63%           
=======================================
  Files          11       11           
  Lines         196      196           
  Branches       36       36           
=======================================
  Hits          160      160           
  Misses         21       21           
  Partials       15       15

:mega: We’re building smart automated test selection to slash your CI/CD build times. Learn more

sonarcloud[bot] commented 1 year ago

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information