Update dependency socket.io to v4.6.2 [SECURITY] #348
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.4.1
->4.6.2
GitHub Vulnerability Alerts
CVE-2024-38355
Impact
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
Affected versions
4.6.2...latest
3.0.0...4.6.1
socket.io@4.6.2
(at least)2.3.0...2.5.0
socket.io@2.5.1
Patches
This issue is fixed by socketio/socket.io@15af22f, included in
socket.io@4.6.2
(released in May 2023).The fix was backported in the 2.x branch today: socketio/socket.io@d30630b
Workarounds
As a workaround for the affected versions of the
socket.io
package, you can attach a listener for the "error" event:For more information
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.
References
Release Notes
socketio/socket.io (socket.io)
v4.6.2
Compare Source
Bug Fixes
types
condition to the top (#4698) (3d44aae)Links
engine.io@~6.4.2
(diff)ws@~8.11.0
(no change)v4.6.1
Compare Source
Bug Fixes
Links
engine.io@~6.4.1
(diff)ws@~8.11.0
(no change)v4.6.0
Compare Source
Bug Fixes
Features
Promise-based acknowledgements
This commit adds some syntactic sugar around acknowledgements:
emitWithAck()
serverSideEmitWithAck()
Added in 184f3cf.
Connection state recovery
This feature allows a client to reconnect after a temporary disconnection and restore its state:
Usage:
Here's how it works:
id
attribute, which is public and can be freely shared)The in-memory adapter already supports this feature, and we will soon update the Postgres and MongoDB adapters. We will also create a new adapter based on Redis Streams, which will support this feature.
Added in 54d5ee0.
Compatibility (for real) with Express middlewares
This feature implements middlewares at the Engine.IO level, because Socket.IO middlewares are meant for namespace authorization and are not executed during a classic HTTP request/response cycle.
Syntax:
A workaround was possible by using the allowRequest option and the "headers" event, but this feels way cleaner and works with upgrade requests too.
Added in 24786e7.
Error details in the disconnecting and disconnect events
The
disconnect
event will now contain additional details about the disconnection reason.Added in 8aa9499.
Automatic removal of empty child namespaces
This commit adds a new option, "cleanupEmptyChildNamespaces". With this option enabled (disabled by default), when a socket disconnects from a dynamic namespace and if there are no other sockets connected to it then the namespace will be cleaned up and its adapter will be closed.
Added in 5d9220b.
A new "addTrailingSlash" option
The trailing slash which was added by default can now be disabled:
In the example above, the clients can omit the trailing slash and use
/socket.io
instead of/socket.io/
.Added in d0fd474.
Performance Improvements
Links:
engine.io@~6.4.0
(diff)ws@~8.11.0
(diff)v4.5.4
Compare Source
This release contains a bump of:
engine.io
in order to fix CVE-2022-41940socket.io-parser
in order to fix CVE-2022-2421.Links:
engine.io@~6.2.1
(diff)ws@~8.2.3
v4.5.3
Compare Source
Bug Fixes
Links:
~6.2.0
~8.2.3
v4.5.2
Compare Source
Bug Fixes
Links:
~6.2.0
~8.2.3
v4.5.1
Compare Source
Bug Fixes
Links:
~6.2.0
~8.2.3
v4.5.0
Compare Source
Bug Fixes
Features
This is similar to
onAny()
, but for outgoing packets.Syntax:
Syntax:
So that clients in HTTP long-polling can decide how many packets they have to send to stay under the maxHttpBufferSize
value.
This is a backward compatible change which should not mandate a new major revision of the protocol (we stay in v4), as
we only add a field in the JSON-encoded handshake data:
Links:
~6.2.0
(diff)~8.2.3
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.