Skip to content

[Snyk] Upgrade socket.io from 2.4.0 to 2.5.0#44

Open
snyk-bot wants to merge 1 commit into
masterfrom
snyk-upgrade-f7d6c5fef6d76d59f12808e9db91165f
Open

[Snyk] Upgrade socket.io from 2.4.0 to 2.5.0#44
snyk-bot wants to merge 1 commit into
masterfrom
snyk-upgrade-f7d6c5fef6d76d59f12808e9db91165f

Conversation

@snyk-bot

@snyk-bot snyk-bot commented Mar 7, 2023

Copy link
Copy Markdown

Snyk has created this PR to upgrade socket.io from 2.4.0 to 2.5.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.


  • The recommended version is 2 versions ahead of your current version.
  • The recommended version was released 8 months ago, on 2022-06-26.

The recommended version fixes:

Severity Issue PriorityScore (*) Exploit Maturity
Denial of Service (DoS)
SNYK-JS-ENGINEIO-3136336
589/1000
Why? Has a fix available, CVSS 7.5
No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Release notes
Package name: socket.io
  • 2.5.0 - 2022-06-26

    ⚠️ WARNING ⚠️

    The default value of the maxHttpBufferSize option has been decreased from 100 MB to 1 MB, in order to prevent attacks by denial of service.

    Security advisory: GHSA-j4f2-536g-r55m

    Bug Fixes

    • fix race condition in dynamic namespaces (05e1278)
    • ignore packet received after disconnection (22d4bdf)
    • only set 'connected' to true after middleware execution (226cc16)
    • prevent the socket from joining a room after disconnection (f223178)

    Links:

  • 2.4.1 - 2021-01-07
  • 2.4.0 - 2021-01-04
from socket.io GitHub release notes
Commit messages
Package name: socket.io
  • baa6804 chore(release): 2.5.0
  • f223178 fix: prevent the socket from joining a room after disconnection
  • 226cc16 fix: only set 'connected' to true after middleware execution
  • 05e1278 fix: fix race condition in dynamic namespaces
  • 22d4bdf fix: ignore packet received after disconnection
  • dfded53 chore: update engine.io version to 3.6.0
  • e6b8697 chore(release): 2.4.1
  • a169050 revert: fix(security): do not allow all origins by default

Compare


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant