search

talevy013 / TestTal

MIT License
0 stars 0 forks source link

Update dependency socket.io to v3 - autoclosed #317

Closed mend-for-github-com[bot] closed 1 year ago

mend-for-github-com[bot] commented 1 year ago

This PR contains the following updates:

Package Type Update Change
socket.io dependencies major ^2.1.0 -> ^3.0.0

By merging this PR, the below issues will be automatically resolved and closed:

Severity CVSS Score CVE GitHub Issue
High 9.4 CVE-2021-31597 #230
High 8.1 CVE-2020-28502 #162
High 8.1 WS-2020-0443 #218
High 7.5 CVE-2020-36048 #232
High 7.5 CVE-2020-36049 #235
Medium 6.5 CVE-2022-41940 #288
Medium 5.3 CVE-2021-32640 #305
Medium 5.3 CVE-2021-32640 #305
Medium 4.3 CVE-2020-28481 #228

Release Notes

socketio/socket.io ### [`v3.0.0`](https://togithub.com/socketio/socket.io/blob/HEAD/CHANGELOG.md#​300-httpsgithubcomsocketiosocketiocompare230300-2020-11-05) [Compare Source](https://togithub.com/socketio/socket.io/compare/2.5.0...3.0.0) ##### Bug Fixes - close clients with no namespace ([91cd255](https://togithub.com/socketio/socket.io/commit/91cd255ba76ff6a780c62740f9f5cd3a76f5d7c7)) ##### Features - emit an Error object upon middleware error ([54bf4a4](https://togithub.com/socketio/socket.io/commit/54bf4a44e9e896dfb64764ee7bd4e8823eb7dc7b)) - serve msgpack bundle ([aa7574f](https://togithub.com/socketio/socket.io/commit/aa7574f88471aa30ae472a5cddf1000a8baa70fd)) - add support for catch-all listeners ([5c73733](https://togithub.com/socketio/socket.io/commit/5c737339858d59eab4b5ee2dd6feff0e82c4fe5a)) - make Socket#join() and Socket#leave() synchronous ([129c641](https://togithub.com/socketio/socket.io/commit/129c6417bd818bc8b4e1b831644323876e627c13)) - remove prod dependency to socket.io-client ([7603da7](https://togithub.com/socketio/socket.io/commit/7603da71a535481e3fc60e38b013abf78516d322)) - move binary detection back to the parser ([669592d](https://togithub.com/socketio/socket.io/commit/669592d120409a5cf00f128070dee6d22259ba4f)) - add ES6 module export ([8b6b100](https://togithub.com/socketio/socket.io/commit/8b6b100c284ccce7d85e55659e3397f533916847)) - do not reuse the Engine.IO id ([2875d2c](https://togithub.com/socketio/socket.io/commit/2875d2cfdfa463e64cb520099749f543bbc4eb15)) - remove Server#set() method ([029f478](https://togithub.com/socketio/socket.io/commit/029f478992f59b1eb5226453db46363a570eea46)) - remove Socket#rooms object ([1507b41](https://togithub.com/socketio/socket.io/commit/1507b416d584381554d1ed23c9aaf3b650540071)) - remove the 'origins' option ([a8c0600](https://togithub.com/socketio/socket.io/commit/a8c06006098b512ba1b8b8df82777349db486f41)) - remove the implicit connection to the default namespace ([3289f7e](https://togithub.com/socketio/socket.io/commit/3289f7ec376e9ec88c2f90e2735c8ca8d01c0e97)) - throw upon reserved event names ([4bd5b23](https://togithub.com/socketio/socket.io/commit/4bd5b2339a66a5a675e20f689fff2e70ff12d236)) ##### BREAKING CHANGES - the Socket#use() method is removed (see [5c73733](https://togithub.com/socketio/socket.io/commit/5c737339858d59eab4b5ee2dd6feff0e82c4fe5a)) - Socket#join() and Socket#leave() do not accept a callback argument anymore. Before: ```js socket.join("room1", () => { io.to("room1").emit("hello"); }); ``` After: ```js socket.join("room1"); io.to("room1").emit("hello"); // or await socket.join("room1"); for custom adapters ``` - the "connected" map is renamed to "sockets" - the Socket#binary() method is removed, as this use case is now covered by the ability to provide your own parser. - the 'origins' option is removed Before: ```js new Server(3000, { origins: ["https://example.com"] }); ``` The 'origins' option was used in the allowRequest method, in order to determine whether the request should pass or not. And the Engine.IO server would implicitly add the necessary Access-Control-Allow-xxx headers. After: ```js new Server(3000, { cors: { origin: "https://example.com", methods: ["GET", "POST"], allowedHeaders: ["content-type"] } }); ``` The already existing 'allowRequest' option can be used for validation: ```js new Server(3000, { allowRequest: (req, callback) => { callback(null, req.headers.referer.startsWith("https://example.com")); } }); ``` - Socket#rooms is now a Set instead of an object - Namespace#connected is now a Map instead of an object - there is no more implicit connection to the default namespace: ```js // client-side const socket = io("/admin"); // server-side io.on("connect", socket => { // not triggered anymore }) io.use((socket, next) => { // not triggered anymore }); io.of("/admin").use((socket, next) => { // triggered }); ``` - the Server#set() method was removed This method was kept for backward-compatibility with pre-1.0 versions. ### [`v2.5.0`](https://togithub.com/socketio/socket.io/blob/HEAD/CHANGELOG.md#​250-httpsgithubcomsocketiosocketiocompare241250-2022-06-26) [Compare Source](https://togithub.com/socketio/socket.io/compare/2.4.1...2.5.0) ⚠️ WARNING ⚠️ The default value of the `maxHttpBufferSize` option has been decreased from 100 MB to 1 MB, in order to prevent attacks by denial of service. Security advisory: [GHSA-j4f2-536g-r55m](https://togithub.com/advisories/GHSA-j4f2-536g-r55m) ##### Bug Fixes - fix race condition in dynamic namespaces ([05e1278](https://togithub.com/socketio/socket.io/commit/05e1278cfa99f3ecf3f8f0531ffe57d850e9a05b)) - ignore packet received after disconnection ([22d4bdf](https://togithub.com/socketio/socket.io/commit/22d4bdf00d1a03885dc0171125faddfaef730066)) - only set 'connected' to true after middleware execution ([226cc16](https://togithub.com/socketio/socket.io/commit/226cc16165f9fe60f16ff4d295fb91c8971cde35)) - prevent the socket from joining a room after disconnection ([f223178](https://togithub.com/socketio/socket.io/commit/f223178eb655a7713303b21a78f9ef9e161d6458)) ##### Dependencies - [`engine.io@~3.6.0`](https://togithub.com/socketio/engine.io/releases/tag/3.6.0) (https://github.com/socketio/engine.io/compare/3.5.0...3.6.0) - [`ws@~7.4.2`](https://togithub.com/websockets/ws/releases/tag/7.4.2) (no change) #### [4.5.1](https://togithub.com/socketio/socket.io/compare/4.5.0...4.5.1) (2022-05-17) ##### Bug Fixes - forward the local flag to the adapter when using fetchSockets() ([30430f0](https://togithub.com/socketio/socket.io/commit/30430f0985f8e7c49394543d4c84913b6a15df60)) - **typings:** add HTTPS server to accepted types ([#​4351](https://togithub.com/socketio/socket.io/issues/4351)) ([9b43c91](https://togithub.com/socketio/socket.io/commit/9b43c9167cff817c60fa29dbda2ef7cd938aff51)) ##### Dependencies - [`engine.io@~6.2.0`](https://togithub.com/socketio/engine.io/releases/tag/6.2.0) (no change) - [`ws@~8.2.3`](https://togithub.com/websockets/ws/releases/tag/8.2.3) (no change) ### [`v2.4.1`](https://togithub.com/socketio/socket.io/blob/HEAD/CHANGELOG.md#​241-httpsgithubcomsocketiosocketiocompare240241-2021-01-07) [Compare Source](https://togithub.com/socketio/socket.io/compare/2.4.0...2.4.1) ##### Reverts - fix(security): do not allow all origins by default ([a169050](https://togithub.com/socketio/socket.io/commit/a1690509470e9dd5559cec4e60908ca6c23e9ba0)) ### [`v2.4.0`](https://togithub.com/socketio/socket.io/blob/HEAD/CHANGELOG.md#​240-httpsgithubcomsocketiosocketiocompare230240-2021-01-04) [Compare Source](https://togithub.com/socketio/socket.io/compare/2.3.0...2.4.0) ##### Bug Fixes - **security:** do not allow all origins by default ([f78a575](https://togithub.com/socketio/socket.io/commit/f78a575f66ab693c3ea96ea88429ddb1a44c86c7)) - properly overwrite the query sent in the handshake ([d33a619](https://togithub.com/socketio/socket.io/commit/d33a619905a4905c153d4fec337c74da5b533a9e)) #### [3.0.4](https://togithub.com/socketio/socket.io/compare/3.0.3...3.0.4) (2020-12-07) #### [3.0.3](https://togithub.com/socketio/socket.io/compare/3.0.2...3.0.3) (2020-11-19) #### [3.0.2](https://togithub.com/socketio/socket.io/compare/3.0.1...3.0.2) (2020-11-17) ##### Bug Fixes - merge Engine.IO options ([43705d7](https://togithub.com/socketio/socket.io/commit/43705d7a9149833afc69edc937ea7f8c9aabfeef)) #### [3.0.1](https://togithub.com/socketio/socket.io/compare/3.0.0...3.0.1) (2020-11-09) ##### Bug Fixes - export ServerOptions and Namespace types ([#​3684](https://togithub.com/socketio/socket.io/issues/3684)) ([f62f180](https://togithub.com/socketio/socket.io/commit/f62f180edafdd56d8a8a277e092bc66df0c5f07f)) - **typings:** update the signature of the emit method ([50671d9](https://togithub.com/socketio/socket.io/commit/50671d984a81535a6a15c704546ca7465e2ea295)) ### [`v2.3.0`](https://togithub.com/socketio/socket.io/blob/HEAD/CHANGELOG.md#​230-httpsgithubcomsocketiosocketiocompare220230-2019-09-20) [Compare Source](https://togithub.com/socketio/socket.io/compare/2.2.0...2.3.0) This release mainly contains a bump of the `engine.io` and `ws` packages, but no additional features. ### [`v2.2.0`](https://togithub.com/socketio/socket.io/blob/HEAD/CHANGELOG.md#​220-httpsgithubcomsocketiosocketiocompare211220-2018-11-29) [Compare Source](https://togithub.com/socketio/socket.io/compare/2.1.1...2.2.0) ##### Features - add cache-control header when serving the client source ([#​2907](https://togithub.com/socketio/socket.io/pull/2907)) ([b00ae50](https://togithub.com/socketio/socket.io/commit/b00ae50be65d1bc88fa95145f1c486a6886a6b76)) ##### Bug fixes - throw an error when trying to access the clients of a dynamic namespace ([#​3355](https://togithub.com/socketio/socket.io/pull/3355)) ([a7fbd1a](https://togithub.com/socketio/socket.io/commit/a7fbd1ac4a47cafd832fc62e371754df924c5903)) ### [`v2.1.1`](https://togithub.com/socketio/socket.io/blob/HEAD/CHANGELOG.md#​211-httpsgithubcomsocketiosocketiocompare210211-2018-05-17) [Compare Source](https://togithub.com/socketio/socket.io/compare/2.1.0...2.1.1) ##### Features - add local flag to the socket object ([#​3129](https://togithub.com/socketio/socket.io/pull/3219)) ([1decae3](https://togithub.com/socketio/socket.io/commit/1decae341c80c0417b32d3124ca30c005240b48a)) ```js socket.local.to('room101').emit(/* */); ```