node-monkey icon indicating copy to clipboard operation
node-monkey copied to clipboard

Published 20 hours ago verified publisher icon jwarkentin

[Snyk] Security upgrade socket.io from 4.4.1 to 4.6.0

Open jwarkentin opened this issue 1 year ago • 0 comments

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 661/1000
Why? Recently disclosed, Has a fix available, CVSS 7.5		 Uncaught Exception
SNYK-JS-ENGINEIO-5496331		 No No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: socket.io The new version differs by 60 commits.
  • a2e5d1f chore(release): 4.6.0
  • d8143cc refactor: do not persist session if connection state recovery if disabled
  • b2dd7cf chore: bump engine.io to version 6.4.0
  • 3734b74 revert: feat: expose current offset to allow deduplication
  • 8aa9499 feat: add description to the disconnecting and disconnect events (#4622)
  • 4e64123 feat: expose current offset to allow deduplication
  • 115a981 refactor: do not include the pid by default
  • 0c0eb00 fix: add timeout method to remote socket (#4558)
  • f8640d9 refactor: export DisconnectReason type
  • 93d446a refactor: add charset when serving the bundle files
  • 184f3cf feat: add promise-based acknowledgements
  • 5d9220b feat: add the ability to clean up empty child namespaces (#4602)
  • 1298839 test: add test with onAnyOutgoing() and binary attachments
  • 6c27b8b test: add test with socket.disconnect(true)
  • f3ada7d fix(typings): properly type emits with timeout
  • a21ad88 docs(changelog): add note about maxHttpBufferSize default value (#4596)
  • 54d5ee0 feat: implement connection state recovery
  • da2b542 perf: precompute the WebSocket frames when broadcasting
  • b7d54db docs: add Rust client implementation (#4592)
  • d4a9b2c refactor(typings): add types for io.engine (#4591)
  • 547c541 chore: add security policy
  • 3b7ced7 chore(release): 4.5.4
  • c00bb95 chore: bump engine.io to version 6.2.1
  • 57e5f25 chore: bump socket.io-parser to version 4.2.1

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

jwarkentin avatar May 04 '23 17:05 jwarkentin