recurly-js
recurly-js copied to clipboard
recurly
Bump engine.io and socket.io
Bumps engine.io and socket.io. These dependencies needed to be updated together.
Updates engine.io from 3.5.0 to 3.6.0
Release notes
Sourced from engine.io's releases.
3.6.0
Bug Fixes
- add extension in the package.json main entry (#608) (3ad0567)
- do not reset the ping timer after upgrade (1f5d469)
Features
- decrease the default value of maxHttpBufferSize (58e274c)
This change reduces the default value from 100 mb to a more sane 1 mb.
This helps protect the server against denial of service attacks by malicious clients sending huge amounts of data.
See also: https://github.com/advisories/GHSA-j4f2-536g-r55m
- increase the default value of pingTimeout (f55a79a)
Links
- Diff: https://github.com/socketio/engine.io/compare/3.5.0...3.6.0
- Client release: -
- ws version: ~7.4.2
Changelog
Sourced from engine.io's changelog.
3.6.0 (2022-06-06)
Bug Fixes
- add extension in the package.json main entry (#608) (3ad0567)
- do not reset the ping timer after upgrade (1f5d469), closes socketio/socket.io-client-swift#1309
Features
- decrease the default value of maxHttpBufferSize (58e274c)
This change reduces the default value from 100 mb to a more sane 1 mb.
This helps protect the server against denial of service attacks by malicious clients sending huge amounts of data.
See also: https://github.com/advisories/GHSA-j4f2-536g-r55m
- increase the default value of pingTimeout (f55a79a)
6.2.0 (2022-04-17)
Features
- add the "maxPayload" field in the handshake details (088dcb4)
So that clients in HTTP long-polling can decide how many packets they have to send to stay under the maxHttpBufferSize value.
This is a backward compatible change which should not mandate a new major revision of the protocol (we stay in v4), as we only add a field in the JSON-encoded handshake data:
0{"sid":"lv_VI97HAXpY6yYWAAAC","upgrades":["websocket"],"pingInterval":25000,"pingTimeout":5000,"maxPayload":1000000}6.1.3 (2022-02-23)
Bug Fixes
... (truncated)
Commits
Updates socket.io from 2.4.1 to 2.5.0
Release notes
Sourced from socket.io's releases.
2.5.0
:warning: WARNING :warning:
The default value of the
maxHttpBufferSizeoption has been decreased from 100 MB to 1 MB, in order to prevent attacks by denial of service.Security advisory: https://github.com/advisories/GHSA-j4f2-536g-r55m
Bug Fixes
- fix race condition in dynamic namespaces (05e1278)
- ignore packet received after disconnection (22d4bdf)
- only set 'connected' to true after middleware execution (226cc16)
- prevent the socket from joining a room after disconnection (f223178)
Links:
- Diff: https://github.com/socketio/socket.io/compare/2.4.1...2.5.0
- Client release: 2.5.0
- engine.io version:
~3.6.0(diff)- ws version:
~7.4.2
Commits
baa6804chore(release): 2.5.0f223178fix: prevent the socket from joining a room after disconnection226cc16fix: only set 'connected' to true after middleware execution05e1278fix: fix race condition in dynamic namespaces22d4bdffix: ignore packet received after disconnectiondfded53chore: update engine.io version to 3.6.0- See full diff in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)@dependabot use these labelswill set the current labels as the default for future PRs for this repo and language@dependabot use these reviewerswill set the current reviewers as the default for future PRs for this repo and language@dependabot use these assigneeswill set the current assignees as the default for future PRs for this repo and language@dependabot use this milestonewill set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the Security Alerts page.
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "Published by a pub.dev verified publisher"){kind=small}
:warning: We detected 2 security issues in this pull request:
Vulnerable Libraries (2)
| Severity | Details |
|---|---|
| High | pkg:npm/[email protected]@3.6.0 (t) - no patch available |
| Medium | pkg:npm/[email protected]@2.5.0 (t) - no patch available |
More info on how to fix Vulnerable Libraries in JavaScript.
👉 Go to the dashboard for detailed results.
📥 Happy? Share your feedback with us.
![guardrails[bot] avatar](https://avatars.githubusercontent.com/in/5512?v=4 "Published by a pub.dev verified publisher"){kind=small}
Coverage remained the same at 92.635% when pulling 9452efd61d6ac027cde983797f850a1a0ad9c15b on dependabot/npm_and_yarn/engine.io-and-socket.io-3.6.0 into 3920bfeab3e98c3776314679cb6d44165b2e1efa on master.
