search

itsapi / github-listener

A Node.js continuous deployment system for Github.
http://github.com/itsapi/github-listener
GNU General Public License v2.0
7 stars 0 forks source link

[Snyk] Upgrade socket.io from 2.4.1 to 2.5.0 #123

Closed snyk-bot closed 2 years ago

snyk-bot commented 2 years ago

Snyk has created this PR to upgrade socket.io from 2.4.1 to 2.5.0.

merge advice :information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

The recommended version fixes:

Severity Issue PriorityScore (*) Exploit Maturity
Access Restriction Bypass
SNYK-JS-XMLHTTPREQUESTSSL-1255647		 472/1000
Why? Proof of Concept exploit, CVSS 7.3		 Proof of Concept
Arbitrary Code Injection
SNYK-JS-XMLHTTPREQUESTSSL-1082936		 472/1000
Why? Proof of Concept exploit, CVSS 7.3		 Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-WS-1296835		 472/1000
Why? Proof of Concept exploit, CVSS 7.3		 Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes
Package name: socket.io
  • 2.5.0 - 2022-06-26

    ⚠️ WARNING ⚠️

    The default value of the maxHttpBufferSize option has been decreased from 100 MB to 1 MB, in order to prevent attacks by denial of service.

    Security advisory: GHSA-j4f2-536g-r55m

    Bug Fixes

    • fix race condition in dynamic namespaces (05e1278)
    • ignore packet received after disconnection (22d4bdf)
    • only set 'connected' to true after middleware execution (226cc16)
    • prevent the socket from joining a room after disconnection (f223178)

    Links:

  • 2.4.1 - 2021-01-07
from socket.io GitHub release notes
Commit messages
Package name: socket.io
  • baa6804 chore(release): 2.5.0
  • f223178 fix: prevent the socket from joining a room after disconnection
  • 226cc16 fix: only set 'connected' to true after middleware execution
  • 05e1278 fix: fix race condition in dynamic namespaces
  • 22d4bdf fix: ignore packet received after disconnection
  • dfded53 chore: update engine.io version to 3.6.0
Compare

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs