ministryofjustice / cla_frontend

CLA Front End
http://ministryofjustice.github.io/cla_docs/
MIT License
3 stars 4 forks source link

[Snyk] Security upgrade socket.io from 4.5.3 to 4.6.0 #902

Closed mtac50 closed 5 months ago

mtac50 commented 1 year ago

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

#### Changes included in this PR - Changes to the following files to upgrade the vulnerable dependencies to a fixed version: - cla_socketserver/package.json - cla_socketserver/package-lock.json #### Vulnerabilities that will be fixed ##### With an upgrade: Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:------------------------- ![high severity](https://res.cloudinary.com/snyk/image/upload/w_20,h_20/v1561977819/icon/h.png "high severity") | **661/1000**
**Why?** Recently disclosed, Has a fix available, CVSS 7.5 | Uncaught Exception
[SNYK-JS-ENGINEIO-5496331](https://snyk.io/vuln/SNYK-JS-ENGINEIO-5496331) | No | No Known Exploit (*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: socket.io The new version differs by 25 commits.
  • a2e5d1f chore(release): 4.6.0
  • d8143cc refactor: do not persist session if connection state recovery if disabled
  • b2dd7cf chore: bump engine.io to version 6.4.0
  • 3734b74 revert: feat: expose current offset to allow deduplication
  • 8aa9499 feat: add description to the disconnecting and disconnect events (#4622)
  • 4e64123 feat: expose current offset to allow deduplication
  • 115a981 refactor: do not include the pid by default
  • 0c0eb00 fix: add timeout method to remote socket (#4558)
  • f8640d9 refactor: export DisconnectReason type
  • 93d446a refactor: add charset when serving the bundle files
  • 184f3cf feat: add promise-based acknowledgements
  • 5d9220b feat: add the ability to clean up empty child namespaces (#4602)
  • 1298839 test: add test with onAnyOutgoing() and binary attachments
  • 6c27b8b test: add test with socket.disconnect(true)
  • f3ada7d fix(typings): properly type emits with timeout
  • a21ad88 docs(changelog): add note about maxHttpBufferSize default value (#4596)
  • 54d5ee0 feat: implement connection state recovery
  • da2b542 perf: precompute the WebSocket frames when broadcasting
  • b7d54db docs: add Rust client implementation (#4592)
  • d4a9b2c refactor(typings): add types for io.engine (#4591)
  • 547c541 chore: add security policy
  • 3b7ced7 chore(release): 4.5.4
  • c00bb95 chore: bump engine.io to version 6.2.1
  • 57e5f25 chore: bump socket.io-parser to version 4.2.1
See the full diff
Check the changes in this PR to ensure they won't cause issues with your project. ------------ **Note:** *You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.* For more information: 🧐 [View latest project report](https://app.snyk.io/org/legal-aid-agency/project/f2638df0-0ed9-4fe7-a615-0679b2261f14?utm_source=github&utm_medium=referral&page=fix-pr) 🛠 [Adjust project settings](https://app.snyk.io/org/legal-aid-agency/project/f2638df0-0ed9-4fe7-a615-0679b2261f14?utm_source=github&utm_medium=referral&page=fix-pr/settings) 📚 [Read more about Snyk's upgrade and patch logic](https://support.snyk.io/hc/en-us/articles/360003891078-Snyk-patches-to-fix-vulnerabilities) [//]: # (snyk:metadata:{"prId":"293e9da1-2208-40a6-9e59-96de2a326450","prPublicId":"293e9da1-2208-40a6-9e59-96de2a326450","dependencies":[{"name":"socket.io","from":"4.5.3","to":"4.6.0"}],"packageManager":"npm","projectPublicId":"f2638df0-0ed9-4fe7-a615-0679b2261f14","projectUrl":"https://app.snyk.io/org/legal-aid-agency/project/f2638df0-0ed9-4fe7-a615-0679b2261f14?utm_source=github&utm_medium=referral&page=fix-pr","type":"auto","patch":[],"vulns":["SNYK-JS-ENGINEIO-5496331"],"upgrade":["SNYK-JS-ENGINEIO-5496331"],"isBreakingChange":false,"env":"prod","prType":"fix","templateVariants":["updated-fix-title","priorityScore"],"priorityScoreList":[661],"remediationStrategy":"vuln"}) --- **Learn how to fix vulnerabilities with free interactive lessons:** 🦉 [Learn about vulnerability in an interactive lesson of Snyk Learn.](https://learn.snyk.io/?loc=fix-pr)
sonarcloud[bot] commented 1 year ago

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication