search

r-hannuschka / ngx-fileupload

angular x fileupload
MIT License
20 stars 7 forks source link

chore(deps): update dependency engine.io to 6.1.1 [security] #662

Closed renovate[bot] closed 2 years ago

renovate[bot] commented 2 years ago

WhiteSource Renovate

This PR contains the following updates:

Package Change
engine.io 6.0.1 -> 6.1.1

GitHub Vulnerability Alerts

CVE-2022-21676

Impact

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear at Receiver.getInfo (/.../node_modules/ws/lib/receiver.js:176:14) at Receiver.startLoop (/.../node_modules/ws/lib/receiver.js:136:22) at Receiver._write (/.../node_modules/ws/lib/receiver.js:83:10) at writeOrBuffer (internal/streams/writable.js:358:12)

This impacts all the users of the engine.io package starting from version 4.0.0, including those who uses depending packages like socket.io.

Patches

A fix has been released for each major branch:

Version range Fixed version
engine.io@4.x.x 4.1.2
engine.io@5.x.x 5.2.1
engine.io@6.x.x 6.1.1

Previous versions (< 4.0.0) are not impacted.

For socket.io users:

Version range engine.io version Needs minor update?
socket.io@4.4.x ~6.1.0 -
socket.io@4.3.x ~6.0.0 Please upgrade to socket.io@4.4.x
socket.io@4.2.x ~5.2.0 -
socket.io@4.1.x ~5.1.1 Please upgrade to socket.io@4.4.x
socket.io@4.0.x ~5.0.0 Please upgrade to socket.io@4.4.x
socket.io@3.1.x ~4.1.0 -
socket.io@3.0.x ~4.0.0 Please upgrade to socket.io@3.1.x or socket.io@4.4.x (see here)

In most cases, running npm audit fix should be sufficient. You can also use npm update engine.io --depth=9999.

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Thanks to Marcus Wejderot from Mevisio for the responsible disclosure.

Configuration

📅 Schedule: "" in timezone Europe/Berlin.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by WhiteSource Renovate. View repository job log here.

codecov[bot] commented 2 years ago

Codecov Report

Merging #662 (6fbae3b) into development (556fea8) will not change coverage. The diff coverage is n/a.

Impacted file tree graph

@@             Coverage Diff              @@
##           development     #662   +/-   ##
============================================
  Coverage        97.17%   97.17%           
============================================
  Files               12       12           
  Lines              283      283           
  Branches            54       54           
============================================
  Hits               275      275           
  Partials             8        8
Flag Coverage Δ
core 97.17% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 556fea8...6fbae3b. Read the comment docs.