:warning: This release contains an important security fix :warning:
A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:
Error: read ECONNRESET
at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
at emitErrorNT (internal/streams/destroy.js:106:8)
at emitErrorCloseNT (internal/streams/destroy.js:74:3)
at processTicksAndRejections (internal/process/task_queues.js:80:21) {
errno: -104,
code: 'ECONNRESET',
syscall: 'read'
}
Please upgrade as soon as possible.
Bug Fixes
catch errors when destroying invalid upgrades (#658) (425e833)
6.2.0
Features
add the "maxPayload" field in the handshake details (088dcb4)
So that clients in HTTP long-polling can decide how many packets they have to send to stay under the maxHttpBufferSize
value.
This is a backward compatible change which should not mandate a new major revision of the protocol (we stay in v4), as
we only add a field in the JSON-encoded handshake data:
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/gbj/venite/network/alerts).
Bumps engine.io to 6.2.1 and updates ancestor dependency @nestjs/platform-socket.io. These dependencies need to be updated together.
Updates
engine.io
from 3.4.1 to 6.2.1Release notes
Sourced from engine.io's releases.
... (truncated)
Changelog
Sourced from engine.io's changelog.
... (truncated)
Commits
24b847b
chore(release): 6.2.1425e833
fix: catch errors when destroying invalid upgrades (#658)99adb00
chore(deps): bump xmlhttprequest-ssl and engine.io-client in /examples/latenc...d196f6a
chore(deps): bump minimatch from 3.0.4 to 3.1.2 (#660)7c1270f
chore(deps): bump nanoid from 3.1.25 to 3.3.1 (#659)535a01d
ci: add Node.js 18 in the test matrix1b71a6f
docs: remove "Vanilla JS" highlight from README (#656)917d1d2
refactor: replace deprecatedString.prototype.substr()
(#646)020801a
chore: add changelog for version 3.6.0ed1d6f9
test: make test script work on Windows (#643)Updates
@nestjs/platform-socket.io
from 7.0.9 to 9.2.0Release notes
Sourced from
@nestjs/platform-socket
.io's releases.... (truncated)
Commits
8101900
chore(@nestjs
) publish v9.2.0 release05ee137
Merge pull request #10459 from SirReiva/fix-fastify-responsefc6b34b
Merge pull request #10345 from tolgap/fix/9517-keep-alive-connections-blockingdc2582a
Merge pull request #10479 from micalevisk/feat/verbose-wrong-controller-error1f376fe
Update packages/platform-express/adapters/express-adapter.ts7ec60ca
Merge pull request #10460 from thiagomini/feature/10392-http-exceptions-cause...ee82c7b
Update packages/core/errors/messages.ts4d3f283
Update packages/core/errors/exceptions/unknown-request-mapping.exception.tse04e414
Merge pull request #10481 from micalevisk/feat/issue-10480ea4c1d8
Merge pull request #10484 from thiagomini/feature/8844-api-version-in-route-infoDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/gbj/venite/network/alerts).