search

ministryofjustice / cla_frontend

CLA Front End
http://ministryofjustice.github.io/cla_docs/
MIT License
3 stars 4 forks source link

[Snyk] Security upgrade socket.io from 1.7.4 to 3.0.0 #874

Closed snyk-bot closed 5 months ago

snyk-bot commented 1 year ago

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:
Severity Issue Breaking Change Exploit Maturity
high severity Denial of Service (DoS)
SNYK-JS-ENGINEIO-1056749		 Yes Proof of Concept
high severity Denial of Service (DoS)
SNYK-JS-ENGINEIO-3136336		 Yes No Known Exploit
medium severity Insecure Defaults
SNYK-JS-SOCKETIO-1024859		 Yes Proof of Concept
high severity Denial of Service (DoS)
SNYK-JS-SOCKETIOPARSER-1056752		 Yes Proof of Concept
critical severity Improper Input Validation
SNYK-JS-SOCKETIOPARSER-3091012		 Yes No Known Exploit
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-WS-1296835		 Yes Proof of Concept
low severity Regular Expression Denial of Service (ReDoS)
npm:debug:20170905		 Yes No Known Exploit
low severity Regular Expression Denial of Service (ReDoS)
npm:ms:20170412		 Yes No Known Exploit
Commit messages
Package name: socket.io The new version differs by 154 commits.
  • 1af3267 chore(release): 3.0.0
  • 02951c4 chore(release): 3.0.0-rc4
  • 54bf4a4 feat: emit an Error object upon middleware error
  • aa7574f feat: serve msgpack bundle
  • 64056d6 docs(examples): update TypeScript example
  • cacad70 chore(release): 3.0.0-rc3
  • d16c035 refactor: rename ERROR to CONNECT_ERROR
  • 5c73733 feat: add support for catch-all listeners
  • 129c641 feat: make Socket#join() and Socket#leave() synchronous
  • 0d74f29 refactor(typings): export Socket class
  • 7603da7 feat: remove prod dependency to socket.io-client
  • a81b9f3 docs(examples): add example with TypeScript
  • 20ea6bd docs(examples): add example with ES modules
  • 0ce5b4c chore(release): 3.0.0-rc2
  • 8a5db7f refactor: remove duplicate _sockets map
  • 2a05042 refactor: add additional typings
  • 91cd255 fix: close clients with no namespace
  • 58b66f8 refactor: hide internal methods and properties
  • 669592d feat: move binary detection back to the parser
  • 2d2a31e chore: publish the wrapper.mjs file
  • ebb0575 chore(release): 3.0.0-rc1
  • c0d171f test: use the reconnect event of the Manager
  • 9c7a48d test: use the complete export name
  • 4bd5b23 feat: throw upon reserved event names
See the full diff
With a Snyk patch:
Severity Issue Exploit Maturity
low severity Regular Expression Denial of Service (ReDoS)
npm:debug:20170905		 No Known Exploit
low severity Regular Expression Denial of Service (ReDoS)
npm:ms:20170412		 No Known Exploit

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS) 🦉 Denial of Service (DoS) 🦉 Denial of Service (DoS) 🦉 More lessons are available in Snyk Learn

sonarcloud[bot] commented 1 year ago

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication