search

ibm-watson-data-lab / simple-search-service

A faceted search engine and content API.
39 stars 27 forks source link

[Snyk] Upgrade socket.io from 2.5.0 to 4.5.4 #128

Open ukmadlz opened 1 year ago

ukmadlz commented 1 year ago

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to upgrade socket.io from 2.5.0 to 4.5.4.

:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
*Warning:* This is a major version upgrade, and may be a breaking change. - The recommended version is **31 versions** ahead of your current version. - The recommended version was released **a month ago**, on 2022-11-22. The recommended version fixes: Severity | Issue | PriorityScore (*) | Exploit Maturity | :-------------------------:|:-------------------------|-------------------------|:------------------------- | Denial of Service (DoS)
[SNYK-JS-ENGINEIO-1056749](https://snyk.io/vuln/SNYK-JS-ENGINEIO-1056749) | **696/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 7.5 | Proof of Concept (*) Note that the real score may have changed since the PR was raised.
Release notes
Package name: socket.io
  • 4.5.4 - 2022-11-22

    This release contains a bump of:

    Links:

      </li>
  <li>
    <b>4.5.3</b> - <a href="https://snyk.io/redirect/github/socketio/socket.io/releases/tag/4.5.3">2022-10-15</a></br><h3>Bug Fixes</h3>
    • typings: accept an HTTP2 server in the constructor (d3d0a2d)
    • typings: apply types to "io.timeout(...).emit()" calls (e357daf)

    Links:

      </li>
  <li>
    <b>4.5.2</b> - <a href="https://snyk.io/redirect/github/socketio/socket.io/releases/tag/4.5.2">2022-09-02</a></br><h3>Bug Fixes</h3>
    • prevent the socket from joining a room after disconnection (18f3fda)
    • uws: prevent the server from crashing after upgrade (ba497ee)

    Links:

      </li>
  <li>
    <b>4.5.1</b> - <a href="https://snyk.io/redirect/github/socketio/socket.io/releases/tag/4.5.1">2022-05-17</a></br><h3>Bug Fixes</h3>
    • forward the local flag to the adapter when using fetchSockets() (30430f0)
    • typings: add HTTPS server to accepted types (#4351) (9b43c91)

    Links:

      </li>
  <li>
    <b>4.5.0</b> - <a href="https://snyk.io/redirect/github/socketio/socket.io/releases/tag/4.5.0">2022-04-23</a></br><h3>Bug Fixes</h3>
    • typings: ensure compatibility with TypeScript 3.x (#4259) (02c87a8)

    Features

    • add support for catch-all listeners for outgoing packets (531104d)

    This is similar to onAny(), but for outgoing packets.

    Syntax:

    socket.onAnyOutgoing((event, ...args) => {
console.log(event);
});

    • broadcast and expect multiple acks (8b20457)

    Syntax:

    io.timeout(1000).emit("some-event", (err, responses) => {
// ...
});

    • add the "maxPayload" field in the handshake details (088dcb4)

    So that clients in HTTP long-polling can decide how many packets they have to send to stay under the maxHttpBufferSize
    value.

    This is a backward compatible change which should not mandate a new major revision of the protocol (we stay in v4), as
    we only add a field in the JSON-encoded handshake data:

    0{"sid":"lv_VI97HAXpY6yYWAAAC","upgrades":["websocket"],"pingInterval":25000,"pingTimeout":5000,"maxPayload":1000000}

    Links:

      </li>
  <li>
    <b>4.4.1</b> - <a href="https://snyk.io/redirect/github/socketio/socket.io/releases/tag/4.4.1">2022-01-06</a></br><h3>Bug Fixes</h3>
    • types: make RemoteSocket.data type safe (#4234) (770ee59)
    • types: pass SocketData type to custom namespaces (#4233) (f2b8de7)

    Links:

      </li>
  <li>
    <b>4.4.0</b> - <a href="https://snyk.io/redirect/github/socketio/socket.io/releases/tag/4.4.0">2021-11-18</a></br><h3>Bug Fixes</h3>
    • only set 'connected' to true after middleware execution (02b0f73)

    Features

    • add an implementation based on uWebSockets.js (c0d8c5a)

    <div class="highlight highlight-source-js notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="const { App } = require("uWebSockets.js"); const { Server } = require("socket.io");

    const app = new App(); const io = new Server();

    io.attachApp(app);

    io.on("connection", (socket) => { // ... });

    app.listen(3000, (token) => { if (!token) { console.warn("port already in use"); } });">

    const { App } = require("uWebSockets.js");
const { Server } = require("socket.io");
    

    const app = new App();
const io = new Server();
    

    io.attachApp(app);
    

    io.on("connection", (socket) => {
// ...
});
    

    app.listen(3000, (token) => {
if (!token) {
console.warn("port already in use");
}
});

socket.timeout(5000).emit("my-event", (err) => {
if (err) {
// the client did not acknowledge the event in the given delay
}
});

<div class="highlight highlight-source-js notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="interface SocketData { name: string; age: number; }

const io = new Server<ClientToServerEvents, ServerToClientEvents, InterServerEvents, SocketData>();

io.on("connection", (socket) => { socket.data.name = "john"; socket.data.age = 42; });">

interface SocketData {
name: string;
age: number;
}


const io = new Server<ClientToServerEvents, ServerToClientEvents, InterServerEvents, SocketData>();


io.on("connection", (socket) => {
socket.data.name = "john";
socket.data.age = 42;
});

Links:

  </li>
  <li>
    <b>4.3.2</b> - <a href="https://snyk.io/redirect/github/socketio/socket.io/releases/tag/4.3.2">2021-11-08</a></br><h3>Bug Fixes</h3>

Links:

  </li>
  <li>
    <b>4.3.1</b> - <a href="https://snyk.io/redirect/github/socketio/socket.io/releases/tag/4.3.1">2021-10-16</a></br><h3>Bug Fixes</h3>

Links:

  </li>
  <li>
    <b>4.3.0</b> - 2021-10-14
  </li>
  <li>
    <b>4.2.0</b> - 2021-08-30
  </li>
  <li>
    <b>4.1.3</b> - 2021-07-10
  </li>
  <li>
    <b>4.1.2</b> - 2021-05-17
  </li>
  <li>
    <b>4.1.1</b> - 2021-05-11
  </li>
  <li>
    <b>4.1.0</b> - 2021-05-11
  </li>
  <li>
    <b>4.0.2</b> - 2021-05-06
  </li>
  <li>
    <b>4.0.1</b> - 2021-03-31
  </li>
  <li>
    <b>4.0.0</b> - 2021-03-10
  </li>
  <li>
    <b>3.1.2</b> - 2021-02-26
  </li>
  <li>
    <b>3.1.1</b> - 2021-02-03
  </li>
  <li>
    <b>3.1.0</b> - 2021-01-15
  </li>
  <li>
    <b>3.0.5</b> - 2021-01-05
  </li>
  <li>
    <b>3.0.4</b> - 2020-12-07
  </li>
  <li>
    <b>3.0.3</b> - 2020-11-19
  </li>
  <li>
    <b>3.0.2</b> - 2020-11-17
  </li>
  <li>
    <b>3.0.1</b> - 2020-11-09
  </li>
  <li>
    <b>3.0.0</b> - 2020-11-05
  </li>
  <li>
    <b>3.0.0-rc4</b> - 2020-10-30
  </li>
  <li>
    <b>3.0.0-rc3</b> - 2020-10-26
  </li>
  <li>
    <b>3.0.0-rc2</b> - 2020-10-15
  </li>
  <li>
    <b>3.0.0-rc1</b> - 2020-10-13
  </li>
  <li>
    <b>2.5.0</b> - <a href="https://snyk.io/redirect/github/socketio/socket.io/releases/tag/2.5.0">2022-06-26</a></br><p><g-emoji class="g-emoji" alias="warning" fallback-src="https://github.githubassets.com/images/icons/emoji/unicode/26a0.png">⚠️</g-emoji> WARNING <g-emoji class="g-emoji" alias="warning" fallback-src="https://github.githubassets.com/images/icons/emoji/unicode/26a0.png">⚠️</g-emoji></p>

The default value of the maxHttpBufferSize option has been decreased from 100 MB to 1 MB, in order to prevent attacks by denial of service.

Security advisory: GHSA-j4f2-536g-r55m

Bug Fixes

Links:

  </li>
</ul>
from <a href="https://snyk.io/redirect/github/socketio/socket.io/releases">socket.io GitHub release notes</a>

Commit messages
Package name: socket.io Compare

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs