simple-search-service [Snyk] Upgrade socket.io from 2.5.0 to 4.5.3

[Snyk] Upgrade socket.io from 2.5.0 to 4.5.3

Open ukmadlz opened this issue 2 years ago • 0 comments

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade socket.io from 2.5.0 to 4.5.3.

:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Warning: This is a major version upgrade, and may be a breaking change.

The recommended version is 30 versions ahead of your current version.
The recommended version was released a month ago, on 2022-10-15.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Denial of Service (DoS) SNYK-JS-ENGINEIO-1056749	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: socket.io

4.5.3 - 2022-10-15
Bug Fixes
- typings: accept an HTTP2 server in the constructor (d3d0a2d)
- typings: apply types to "io.timeout(...).emit()" calls (e357daf)
Links:
- Diff: 4.5.2...4.5.3
- Client release: 4.5.3
- engine.io version: ~6.2.0
- ws version: ~8.2.3
4.5.2 - 2022-09-02
Bug Fixes
- prevent the socket from joining a room after disconnection (18f3fda)
- uws: prevent the server from crashing after upgrade (ba497ee)
Links:
- Diff: 4.5.1...4.5.2
- Client release: 4.5.2
- engine.io version: ~6.2.0
- ws version: ~8.2.3
4.5.1 - 2022-05-17
Bug Fixes
- forward the local flag to the adapter when using fetchSockets() (30430f0)
- typings: add HTTPS server to accepted types (#4351) (9b43c91)
Links:
- Diff: 4.5.0...4.5.1
- Client release: 4.5.1
- engine.io version: ~6.2.0
- ws version: ~8.2.3
4.5.0 - 2022-04-23
Bug Fixes
- typings: ensure compatibility with TypeScript 3.x (#4259) (02c87a8)
Features
- add support for catch-all listeners for outgoing packets (531104d)
This is similar to onAny(), but for outgoing packets.

Syntax:
```
socket.onAnyOutgoing((event, ...args) => {
  console.log(event);
});
```
- broadcast and expect multiple acks (8b20457)
Syntax:
```
io.timeout(1000).emit("some-event", (err, responses) => {
  // ...
});
```
- add the "maxPayload" field in the handshake details (088dcb4)
So that clients in HTTP long-polling can decide how many packets they have to send to stay under the maxHttpBufferSize
value.

This is a backward compatible change which should not mandate a new major revision of the protocol (we stay in v4), as
we only add a field in the JSON-encoded handshake data:
```
0{"sid":"lv_VI97HAXpY6yYWAAAC","upgrades":["websocket"],"pingInterval":25000,"pingTimeout":5000,"maxPayload":1000000}
```
Links:
- Diff: 4.4.1...4.5.0
- Client release: 4.5.0
- engine.io version: ~6.2.0 (diff)
- ws version: ~8.2.3
4.4.1 - 2022-01-06
Bug Fixes
- types: make RemoteSocket.data type safe (#4234) (770ee59)
- types: pass SocketData type to custom namespaces (#4233) (f2b8de7)
Links:
- Diff: 4.4.0...4.4.1
- Client release: 4.4.1
- engine.io version: ~6.1.0 (diff)
- ws version: ~8.2.3
4.4.0 - 2021-11-18
Bug Fixes
- only set 'connected' to true after middleware execution (02b0f73)
Features
- add an implementation based on uWebSockets.js (c0d8c5a)
const { App } = require("uWebSockets.js"); const { Server } = require("socket.io");
const app = new App(); const io = new Server();

io.attachApp(app);

io.on("connection", (socket) => { // ... });

app.listen(3000, (token) => { if (!token) { console.warn("port already in use"); } });
- add timeout feature (f0ed42f)
```
socket.timeout(5000).emit("my-event", (err) => {
  if (err) {
    // the client did not acknowledge the event in the given delay
  }
});
```
- add type information to socket.data (#4159) (fe8730c)
interface SocketData { name: string; age: number; }
const io = new Server<ClientToServerEvents, ServerToClientEvents, InterServerEvents, SocketData>();

io.on("connection", (socket) => { socket.data.name = "john"; socket.data.age = 42; });

Links:
- Diff: 4.3.2...4.4.0
- Client release: 4.4.0
- engine.io version: ~6.1.0 (diff)
- ws version: ~8.2.3
4.3.2 - 2021-11-08
Bug Fixes
- fix race condition in dynamic namespaces (#4137) (9d86397)
Links:
- Diff: 4.3.1...4.3.2
- Client release: 4.3.2
- engine.io version: ~6.0.0
- ws version: ~8.2.3
4.3.1 - 2021-10-16
Bug Fixes
- fix server attachment (#4127) (0ef2a4d)
Links:
- Diff: 4.3.0...4.3.1
- Client release: 4.3.1
- engine.io version: ~6.0.0
- ws version: ~8.2.3
4.3.0 - 2021-10-14
4.2.0 - 2021-08-30
4.1.3 - 2021-07-10
4.1.2 - 2021-05-17
4.1.1 - 2021-05-11
4.1.0 - 2021-05-11
4.0.2 - 2021-05-06
4.0.1 - 2021-03-31
4.0.0 - 2021-03-10
3.1.2 - 2021-02-26
3.1.1 - 2021-02-03
3.1.0 - 2021-01-15
3.0.5 - 2021-01-05
3.0.4 - 2020-12-07
3.0.3 - 2020-11-19
3.0.2 - 2020-11-17
3.0.1 - 2020-11-09
3.0.0 - 2020-11-05
3.0.0-rc4 - 2020-10-30
3.0.0-rc3 - 2020-10-26
3.0.0-rc2 - 2020-10-15
3.0.0-rc1 - 2020-10-13
2.5.0 - 2022-06-26
⚠️ WARNING ⚠️

The default value of the maxHttpBufferSize option has been decreased from 100 MB to 1 MB, in order to prevent attacks by denial of service.

Security advisory: GHSA-j4f2-536g-r55m

Bug Fixes
- fix race condition in dynamic namespaces (05e1278)
- ignore packet received after disconnection (22d4bdf)
- only set 'connected' to true after middleware execution (226cc16)
- prevent the socket from joining a room after disconnection (f223178)
Links:
- Diff: 2.4.1...2.5.0
- Client release: 2.5.0
- engine.io version: ~3.6.0 (diff)
- ws version: ~7.4.2