salve
salve copied to clipboard
mangalam-research
chore(deps): update dependency engine.io to 3.6.1 [security] - abandoned
This PR contains the following updates:
| Package | Change |
|---|---|
| engine.io | 3.2.1 -> 3.6.1 |
GitHub Vulnerability Alerts
CVE-2020-36048
Engine.IO before 4.0.0 and 3.6.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.
CVE-2022-41940
Impact
A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.
events.js:292
throw er; // Unhandled 'error' event
^
Error: read ECONNRESET
at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
at emitErrorNT (internal/streams/destroy.js:106:8)
at emitErrorCloseNT (internal/streams/destroy.js:74:3)
at processTicksAndRejections (internal/process/task_queues.js:80:21) {
errno: -104,
code: 'ECONNRESET',
syscall: 'read'
}
This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.
Patches
A fix has been released today (2022/11/20):
| Version range | Fixed version |
|---|---|
[email protected] |
3.6.1 |
[email protected] |
6.2.1 |
For socket.io users:
| Version range | engine.io version |
Needs minor update? |
|---|---|---|
[email protected] |
~6.2.0 |
npm audit fix should be sufficient |
[email protected] |
~6.1.0 |
Please upgrade to [email protected] |
[email protected] |
~6.0.0 |
Please upgrade to [email protected] |
[email protected] |
~5.2.0 |
Please upgrade to [email protected] |
[email protected] |
~5.1.1 |
Please upgrade to [email protected] |
[email protected] |
~5.0.0 |
Please upgrade to [email protected] |
[email protected] |
~4.1.0 |
Please upgrade to [email protected] (see here) |
[email protected] |
~4.0.0 |
Please upgrade to [email protected] (see here) |
[email protected] |
~3.6.0 |
npm audit fix should be sufficient |
[email protected] and below |
~3.5.0 |
Please upgrade to [email protected] |
Workarounds
There is no known workaround except upgrading to a safe version.
For more information
If you have any questions or comments about this advisory:
- Open an issue in
engine.io
Thanks to Jonathan Neve for the responsible disclosure.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
Autoclosing Skipped
This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.