search

the-chain / airmedfoundation-terminal

Airmed Foundation's IPFS + Hyperledger Fabric web client
https://airmedfoundation.thechain.tech/
GNU Affero General Public License v3.0
70 stars 26 forks source link

Bump engine.io and sails-hook-sockets #32

Closed dependabot[bot] closed 1 year ago

dependabot[bot] commented 1 year ago

Bumps engine.io to 3.6.1 and updates ancestor dependency sails-hook-sockets. These dependencies need to be updated together.

Updates engine.io from 3.1.5 to 3.6.1

Release notes

Sourced from engine.io's releases.

3.6.1

:warning: This release contains an important security fix :warning:

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

Please upgrade as soon as possible.

Bug Fixes

  • catch errors when destroying invalid upgrades (83c4071)

3.6.0

Bug Fixes

  • add extension in the package.json main entry (#608) (3ad0567)
  • do not reset the ping timer after upgrade (1f5d469)

Features

  • decrease the default value of maxHttpBufferSize (58e274c)

This change reduces the default value from 100 mb to a more sane 1 mb.

This helps protect the server against denial of service attacks by malicious clients sending huge amounts of data.

See also: https://github.com/advisories/GHSA-j4f2-536g-r55m

  • increase the default value of pingTimeout (f55a79a)

Links

... (truncated)

Changelog

Sourced from engine.io's changelog.

3.6.1 (2022-11-20)

:warning: This release contains an important security fix :warning:

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

Please upgrade as soon as possible.

Bug Fixes

  • catch errors when destroying invalid upgrades (83c4071)

6.2.1 (2022-11-20)

:warning: This release contains an important security fix :warning:

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

Please upgrade as soon as possible.

Bug Fixes

... (truncated)

Commits
  • 67a3a87 chore(release): 3.6.1
  • 83c4071 fix: catch errors when destroying invalid upgrades
  • f62f265 chore(release): 3.6.0
  • f55a79a feat: increase the default value of pingTimeout
  • 1f5d469 fix: do not reset the ping timer after upgrade
  • 3ad0567 fix: add extension in the package.json main entry (#608)
  • 58e274c feat: decrease the default value of maxHttpBufferSize
  • b9dee7b chore(release): 3.5.0
  • 19cc582 feat: add support for all cookie options
  • 5ad2736 feat: disable perMessageDeflate by default
  • Additional commits viewable in compare view


Updates sails-hook-sockets from 1.5.5 to 2.0.3

Release notes

Sourced from sails-hook-sockets's releases.

v2.0.1

• Upgraded socket.io from 2.2.0 to 2.4.1 to resolve deprecation warning

v2.0.0

• Upgraded machinepack-redis to resolve vulnerability/deprecation warnings (note this includes a major version bump of redis, the Redis client library) • Upgraded machinepack-urls to resolve vulnerability/deprecation warnings • Upgraded socket.io from 2.0.3 to 2.2.0 to resolve deprecation warning

Changelog

Sourced from sails-hook-sockets's changelog.

sails-hook-sockets changelog

2.0.1

  • Upgraded socket.io from 2.2.0 to 2.4.1 to resolve deprecation warning

2.0.0

  • Upgraded machinepack-redis to resolve vulnerability/deprecation warnings (note this includes a major version bump of redis, the Redis client library)
  • Upgraded machinepack-urls to resolve vulnerability/deprecation warnings
  • Upgraded socket.io from 2.0.3 to 2.2.0 to resolve deprecation warning

1.1.0

  • [UPGRADE] Update socket.io dependency to version 1.5.1.
  • [ENHANCEMENT] Add validation for db option. Thanks bberry6! #9
  • [ENHANCEMENT] Add onlyAllowOrigins config to restrict the origins allowed to connect to the socket server. 9450c96

1.0.1

  • [BUGFIX] Made maxHttpBufferSize actually work by passing through to the underlying adapter. f5bf545
  • [DEPRECATION] Deprecated maxBufferSize option in favor of maxHttpBufferSize. f5bf545
  • [ENHANCEMENT] Make "websocket" the default transport. This is better supported by more clients than the "polling-first" method. The relevant changes have been made in sails.io.js as well. 8135ada

1.0.0

  • [BREAKING CHANGE] Removed deprecated sails.socket methods: .emit(), .emitToAll(), .rooms(), .socketRooms(), .subscribers(), .id().
  • [ENHANCEMENT] Added support for the "subEvent" option. Thanks @​albi34! #26
  • [BUGFIX] Explicitly set content-type when responding to JSONP request. Thanks @​arryon! #28

0.13.7

  • [BUGFIX] Correctly handle joining/leaving rooms using socket ID as the first argument. Thanks @​Biktop! #22

0.13.6

  • [BUGFIX] Make "async" a full dependency, to ensure compatibility with Sails when globals are turned off a5bd1e1

0.13.5

  • [ENHANCEMENT] Forward the "nosession" header to the Sails virtual router (allowing sockets to connect without creating sessions) 7331197

0.13.4

  • [BUGFIX] Fix issue where admin bus crashes when "db" or "pass" is not specified in redis config 14210dc

0.13.3

  • [BUGFIX] Added missing require()s to ensured that hook works without Sails globals enabled

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by eashaw, a new releaser for sails-hook-sockets since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/the-chain/airmedfoundation-terminal/network/alerts).