search

r-hannuschka / ngx-fileupload

angular x fileupload
MIT License
20 stars 7 forks source link

chore(deps): update dependency engine.io to 6.2.1 [security] - autoclosed #767

Closed renovate[bot] closed 1 year ago

renovate[bot] commented 1 year ago

Mend Renovate

This PR contains the following updates:

Package Change
engine.io 6.2.0 -> 6.2.1

GitHub Vulnerability Alerts

CVE-2022-41940

Impact

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

events.js:292
      throw er; // Unhandled 'error' event
      ^

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.

Patches

A fix has been released today (2022/11/20):

Version range Fixed version
engine.io@3.x.y 3.6.1
engine.io@6.x.y 6.2.1

For socket.io users:

Version range engine.io version Needs minor update?
socket.io@4.5.x ~6.2.0 npm audit fix should be sufficient
socket.io@4.4.x ~6.1.0 Please upgrade to socket.io@4.5.x
socket.io@4.3.x ~6.0.0 Please upgrade to socket.io@4.5.x
socket.io@4.2.x ~5.2.0 Please upgrade to socket.io@4.5.x
socket.io@4.1.x ~5.1.1 Please upgrade to socket.io@4.5.x
socket.io@4.0.x ~5.0.0 Please upgrade to socket.io@4.5.x
socket.io@3.1.x ~4.1.0 Please upgrade to socket.io@4.5.x (see here)
socket.io@3.0.x ~4.0.0 Please upgrade to socket.io@4.5.x (see here)
socket.io@2.5.0 ~3.6.0 npm audit fix should be sufficient
socket.io@2.4.x and below ~3.5.0 Please upgrade to socket.io@2.5.0

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Thanks to Jonathan Neve for the responsible disclosure.

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

codecov[bot] commented 1 year ago

Codecov Report

Merging #767 (dacd048) into development (9510f42) will not change coverage. The diff coverage is n/a.

@@             Coverage Diff              @@
##           development     #767   +/-   ##
============================================
  Coverage        98.95%   98.95%           
============================================
  Files               12       12           
  Lines              287      287           
  Branches            53       53           
============================================
  Hits               284      284           
  Partials             3        3
Flag Coverage Δ
core 98.95% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

:mega: We’re building smart automated test selection to slash your CI/CD build times. Learn more