search

itsapi / github-listener

A Node.js continuous deployment system for Github.
http://github.com/itsapi/github-listener
GNU General Public License v2.0
7 stars 0 forks source link

[Snyk] Upgrade socket.io from 2.4.0 to 2.4.1 #115

Closed snyk-bot closed 3 years ago

snyk-bot commented 3 years ago

Snyk has created this PR to upgrade socket.io from 2.4.0 to 2.4.1.

merge advice :information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Release notes
Package name: socket.io
  • 2.4.1 - 2021-01-07

    This release reverts the breaking change introduced in 2.4.0 (f78a575).

    If you are using Socket.IO v2, you should explicitly allow/disallow cross-origin requests:

    • without CORS (server and client are served from the same domain):
    io.origins((req, callback) => {
  callback(null, req.headers.origin === undefined); // cross-origin requests will not be allowed
});
    • with CORS (server and client are served from distinct domains):
    io.origins(["http://localhost:3000"]); // for local development
io.origins(["https://example.com"]);

    In any case, please consider upgrading to Socket.IO v3, where this security issue is now fixed (CORS is disabled by default).

    Reverts

    • fix(security): do not allow all origins by default (a169050)

    Links:

    • Diff: 2.4.0...2.4.1
    • Client release: -
    • engine.io version: ~3.5.0
    • ws version: ~7.4.2
  • 2.4.0 - 2021-01-04

    Related blog post: https://socket.io/blog/socket-io-2-4-0/

    Features (from Engine.IO)

    • add support for all cookie options (19cc582)
    • disable perMessageDeflate by default (5ad2736)

    Bug Fixes

    • security: do not allow all origins by default (f78a575)
    • properly overwrite the query sent in the handshake (d33a619)

    ⚠️ BREAKING CHANGE ⚠️

    Previously, CORS was enabled by default, which meant that a Socket.IO server sent the necessary CORS headers (Access-Control-Allow-xxx) to any domain. This will not be the case anymore, and you now have to explicitly enable it.

    Please note that you are not impacted if:

    • you are using Socket.IO v2 and the origins option to restrict the list of allowed domains
    • you are using Socket.IO v3 (disabled by default)

    This commit also removes the support for '*' matchers and protocol-less URL:

    io.origins('https://example.com:443'); => io.origins(['https://example.com']);
io.origins('localhost:3000');          => io.origins(['http://localhost:3000']);
io.origins('http://localhost:*');      => io.origins(['http://localhost:3000']);
io.origins('*:3000');                  => io.origins(['http://localhost:3000']);

    To restore the previous behavior (please use with caution):

    io.origins((_, callback) => {
  callback(null, true);
});

    See also:

    Thanks a lot to @ ni8walk3r for the security report.

    Links:

from socket.io GitHub release notes
Commit messages
Package name: socket.io
  • e6b8697 chore(release): 2.4.1
  • a169050 revert: fix(security): do not allow all origins by default
Compare

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs