📱 The easiest way to write conditional CSS and/or JavaScript based on device operating system (iOS, Android, Blackberry, Windows, Firefox OS, MeeGo), orientation (Portrait vs. Landscape), and type (Tablet vs. Mobile).
Engine.IO before 4.0.0 and 3.6.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.
This PR contains the following updates:
3.1.5
->3.6.1
GitHub Vulnerability Alerts
CVE-2020-36048
Engine.IO before 4.0.0 and 3.6.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.
CVE-2022-41940
Impact
A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.
This impacts all the users of the
engine.io
package, including those who uses depending packages likesocket.io
.Patches
A fix has been released today (2022/11/20):
engine.io@3.x.y
3.6.1
engine.io@6.x.y
6.2.1
For
socket.io
users:engine.io
versionsocket.io@4.5.x
~6.2.0
npm audit fix
should be sufficientsocket.io@4.4.x
~6.1.0
socket.io@4.5.x
socket.io@4.3.x
~6.0.0
socket.io@4.5.x
socket.io@4.2.x
~5.2.0
socket.io@4.5.x
socket.io@4.1.x
~5.1.1
socket.io@4.5.x
socket.io@4.0.x
~5.0.0
socket.io@4.5.x
socket.io@3.1.x
~4.1.0
socket.io@4.5.x
(see here)socket.io@3.0.x
~4.0.0
socket.io@4.5.x
(see here)socket.io@2.5.0
~3.6.0
npm audit fix
should be sufficientsocket.io@2.4.x
and below~3.5.0
socket.io@2.5.0
Workarounds
There is no known workaround except upgrading to a safe version.
For more information
If you have any questions or comments about this advisory:
engine.io
Thanks to Jonathan Neve for the responsible disclosure.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.