search

adobe / aem-core-cif-components

A set of configurations and components to get you started with AEM Commerce development
Apache License 2.0
102 stars 80 forks source link

chore(deps): update dependency socket.io-parser to 4.0.5 [security] - autoclosed #968

Closed renovate[bot] closed 1 year ago

renovate[bot] commented 1 year ago

Mend Renovate

This PR contains the following updates:

Package Change
socket.io-parser 4.0.4 -> 4.0.5

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the logs for more information.

GitHub Vulnerability Alerts

CVE-2022-2421

Due to improper type validation in the socket.io-parser library (which is used by the socket.io and socket.io-client packages to encode and decode Socket.IO packets), it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.

Example:

const decoder = new Decoder();

decoder.on(\"decoded\", (packet) => {
 console.log(packet.data); // prints [ 'hello', [Function: splice] ]
 })

decoder.add('51-[\"hello\",{\"_placeholder\":true,\"num\":\"splice\"}]');
decoder.add(Buffer.from(\"world\"));

This bubbles up in the socket.io package:

io.on(\"connection\", (socket) => {
 socket.on(\"hello\", (val) => {
 // here, \"val\" could be a reference instead of what the user expected
 });
 });

At first sight, the potential impact seems rather limited, but please upgrade to a safe version as soon as possible.

This should be fixed by:

Dependency analysis for the socket.io package

socket.io version socket.io-parser version Covered?
4.5.2...latest ~4.2.0 (ref) Yes :heavy_check_mark:
4.1.3...4.5.1 ~4.0.4 (ref) Yes :heavy_check_mark:
3.0.5...4.1.2 ~4.0.3 (ref) Yes :heavy_check_mark:
3.0.0...3.0.4 ~4.0.1 (ref) Yes :heavy_check_mark:

Dependency analysis for the socket.io-client package

socket.io-client version socket.io-parser version Covered?
4.5.0...latest ~4.2.0 (ref) Yes :heavy_check_mark:
4.3.0...4.4.1 ~4.1.1 (ref) No, but the impact is very limited
3.1.0...4.2.0 ~4.0.4 (ref) Yes :heavy_check_mark:
3.0.5 ~4.0.3 (ref) Yes :heavy_check_mark:
3.0.0...3.0.4 ~4.0.1 (ref) Yes :heavy_check_mark:

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

codecov[bot] commented 1 year ago

Codecov Report

Merging #968 (0e54a31) into master (dbe0f6d) will not change coverage. The diff coverage is n/a.

@@            Coverage Diff            @@
##             master     #968   +/-   ##
=========================================
  Coverage     89.15%   89.15%           
  Complexity     2212     2212           
=========================================
  Files           354      354           
  Lines          9987     9987           
  Branches       1438     1438           
=========================================
  Hits           8904     8904           
  Misses          787      787           
  Partials        296      296
Flag Coverage Δ
integration 51.78% <ø> (ø)
jest 86.68% <ø> (ø)
karma 95.53% <ø> (ø)
unittests 87.43% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

:mega: We’re building smart automated test selection to slash your CI/CD build times. Learn more