search

cashapp / misk-web

Micro-Frontends React + Redux + Typescript Framework
https://cashapp.github.io/misk-web/
Apache License 2.0
66 stars 18 forks source link

Update dependency socket.io-parser [SECURITY] #2069

Closed renovate[bot] closed 1 year ago

renovate[bot] commented 1 year ago

Mend Renovate

This PR contains the following updates:

Package Change
socket.io-parser 4.2.2 -> 4.2.3
socket.io-parser 3.4.2 -> 3.4.3

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2023-32695

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

TypeError: Cannot convert object to primitive value
       at Socket.emit (node:events:507:25)
       at .../node_modules/socket.io/lib/socket.js:531:14

Patches

A fix has been released today (2023/05/22):

socket.io version socket.io-parser version Needs minor update?
4.5.2...latest ~4.2.0 (ref) npm audit fix should be sufficient
4.1.3...4.5.1 ~4.1.1 (ref) Please upgrade to socket.io@4.6.x
3.0.5...4.1.2 ~4.0.3 (ref) Please upgrade to socket.io@4.6.x
3.0.0...3.0.4 ~4.0.1 (ref) Please upgrade to socket.io@4.6.x
2.3.0...2.5.0 ~3.4.0 (ref) npm audit fix should be sufficient

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Thanks to @​rafax00 for the responsible disclosure.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

This PR has been generated by Mend Renovate. View repository job log here.