simple-search-service icon indicating copy to clipboard operation
simple-search-service copied to clipboard

Published 20 hours ago verified publisher icon ibm-watson-data-lab

[Snyk] Upgrade socket.io from 2.4.1 to 4.4.1

Open snyk-bot opened this issue 3 years ago • 0 comments

Snyk has created this PR to upgrade socket.io from 2.4.1 to 4.4.1.

:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Warning: This is a major version upgrade, and may be a breaking change.

  • The recommended version is 26 versions ahead of your current version.
  • The recommended version was released a month ago, on 2022-01-06.

The recommended version fixes:

Severity Issue PriorityScore (*) Exploit Maturity
Denial of Service (DoS)
SNYK-JS-ENGINEIO-1056749		 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes
Package name: socket.io
  • 4.4.1 - 2022-01-06

    Bug Fixes

    • types: make RemoteSocket.data type safe (#4234) (770ee59)
    • types: pass SocketData type to custom namespaces (#4233) (f2b8de7)

    Links:

  • 4.4.0 - 2021-11-18

    Bug Fixes

    • only set 'connected' to true after middleware execution (02b0f73)

    Features

    • add an implementation based on uWebSockets.js (c0d8c5a)
    const { App } = require("uWebSockets.js"); const { Server } = require("socket.io");

    const app = new App(); const io = new Server();

    io.attachApp(app);

    io.on("connection", (socket) => { // ... });

    app.listen(3000, (token) => { if (!token) { console.warn("port already in use"); } });

    socket.timeout(5000).emit("my-event", (err) => {
  if (err) {
    // the client did not acknowledge the event in the given delay
  }
});
    interface SocketData { name: string; age: number; }

    const io = new Server<ClientToServerEvents, ServerToClientEvents, InterServerEvents, SocketData>();

    io.on("connection", (socket) => { socket.data.name = "john"; socket.data.age = 42; });

    Links:

  • 4.3.2 - 2021-11-08

    Bug Fixes

    • fix race condition in dynamic namespaces (#4137) (9d86397)

    Links:

  • 4.3.1 - 2021-10-16

    Bug Fixes

    Links:

  • 4.3.0 - 2021-10-14

    For this release, most of the work was done on the client side, see here.

    Bug Fixes

    • typings: add name field to cookie option (#4099) (033c5d3)
    • send volatile packets with binary attachments (dc81fcf)

    Features

    Links:

  • 4.2.0 - 2021-08-30

    Bug Fixes

    • typings: allow async listener in typed events (ccfd8ca)

    Features

    • ignore the query string when serving client JavaScript (#4024) (24fee27)

    Links:

  • 4.1.3 - 2021-07-10

    Bug Fixes

    • fix io.except() method (94e27cd)
    • remove x-sourcemap header (a4dffc6)

    Links:

  • 4.1.2 - 2021-05-17

    Bug Fixes

    • typings: ensure compatibility with TypeScript 3.x (0cb6ac9)
    • ensure compatibility with previous versions of the adapter (a2cf248)

    Links:

  • 4.1.1 - 2021-05-11

    Bug Fixes

    • typings: properly type server-side events (b84ed1e)
    • typings: properly type the adapter attribute (891b187)

    Links:

  • 4.1.0 - 2021-05-11

    Blog post: https://socket.io/blog/socket-io-4-1-0/

    Features

    • add support for inter-server communication (93cce05)
    • notify upon namespace creation (499c892)
    • add a "connection_error" event (7096e98, from engine.io)
    • add the "initial_headers" and "headers" events (2527543, from engine.io)

    Links:

  • 4.0.2 - 2021-05-06
  • 4.0.1 - 2021-03-31
  • 4.0.0 - 2021-03-10
  • 3.1.2 - 2021-02-26
  • 3.1.1 - 2021-02-03
  • 3.1.0 - 2021-01-15
  • 3.0.5 - 2021-01-05
  • 3.0.4 - 2020-12-07
  • 3.0.3 - 2020-11-19
  • 3.0.2 - 2020-11-17
  • 3.0.1 - 2020-11-09
  • 3.0.0 - 2020-11-05
  • 3.0.0-rc4 - 2020-10-30
  • 3.0.0-rc3 - 2020-10-26
  • 3.0.0-rc2 - 2020-10-15
  • 3.0.0-rc1 - 2020-10-13
  • 2.4.1 - 2021-01-07
from socket.io GitHub release notes
Commit messages
Package name: socket.io
  • c82a4bd chore(release): 4.4.1
  • 770ee59 fix(types): make `RemoteSocket.data` type safe (#4234)
  • 3bf5d92 refactor: add note about fetchSockets() for parent namespaces
  • fc82e44 refactor(typings): export Event type (#4215)
  • c840bad test: fix flaky tests
  • f2b8de7 fix(typings): pass `SocketData` type to custom namespaces (#4233)
  • 51784d0 chore: add types to exports field to be compatible with nodenext module resolution (#4228)
  • c196689 docs: fix basic crud example
  • 7a70f63 docs: fix reconnection handling in the chat demo app (#4189)
  • e5897dd docs: add usage with ES modules (#4195)
  • 2071a66 docs: simplify nginx cluster example
  • 0f11c47 chore(release): 4.4.0
  • b839a3b fix: prevent double ack when emitting with a timeout
  • f0ed42f feat: add timeout feature
  • b7213e7 test: fix flaky test
  • 2da8210 test: add test for volatile packet with binary
  • 02b0f73 fix: only set 'connected' to true after middleware execution
  • c0d8c5a feat: add an implementation based on uWebSockets.js
  • fe8730c feat: add type information to `socket.data` (#4159)
  • ed8483d chore(release): 4.3.2
  • 9d86397 fix: fix race condition in dynamic namespaces (#4137)
  • 44e20ba refactor: add event type for use() (#4138)
  • ccc5ec3 chore(release): 4.3.1
  • 0ef2a4d fix: fix server attachment (#4127)

Compare

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

snyk-bot avatar Feb 01 '22 16:02 snyk-bot