[Snyk] Upgrade socket.io from 2.5.0 to 4.5.4

[ukmadlz]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade socket.io from 2.5.0 to 4.5.4.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

Warning: This is a major version upgrade, and may be a breaking change.

• The recommended version is 31 versions ahead of your current version.
• The recommended version was released a month ago, on 2022-11-22.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Denial of Service (DoS) SNYK-JS-ENGINEIO-1056749	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: socket.io

• 4.5.4 - 2022-11-22
  

  This release contains a bump of:

  • engine.io in order to fix CVE-2022-41940
  • socket.io-parser in order to fix CVE-2022-2421.

  Links:

  • Diff: 4.5.3...4.5.4
  • Client release: 4.5.4
  • engine.io@~6.2.1 (diff)
  • ws@~8.2.3
• 4.5.3 - 2022-10-15
  

  Bug Fixes

  • typings: accept an HTTP2 server in the constructor (d3d0a2d)
  • typings: apply types to "io.timeout(...).emit()" calls (e357daf)

  Links:

  • Diff: 4.5.2...4.5.3
  • Client release: 4.5.3
  • engine.io version: ~6.2.0
  • ws version: ~8.2.3
• 4.5.2 - 2022-09-02
  

  Bug Fixes

  • prevent the socket from joining a room after disconnection (18f3fda)
  • uws: prevent the server from crashing after upgrade (ba497ee)

  Links:

  • Diff: 4.5.1...4.5.2
  • Client release: 4.5.2
  • engine.io version: ~6.2.0
  • ws version: ~8.2.3
• 4.5.1 - 2022-05-17
  

  Bug Fixes

  • forward the local flag to the adapter when using fetchSockets() (30430f0)
  • typings: add HTTPS server to accepted types (#4351) (9b43c91)

  Links:

  • Diff: 4.5.0...4.5.1
  • Client release: 4.5.1
  • engine.io version: ~6.2.0
  • ws version: ~8.2.3
• 4.5.0 - 2022-04-23
  

  Bug Fixes

  • typings: ensure compatibility with TypeScript 3.x (#4259) (02c87a8)

  Features

  • add support for catch-all listeners for outgoing packets (531104d)

  This is similar to onAny(), but for outgoing packets.

  Syntax:

  socket.onAnyOutgoing((event, ...args) => {
    console.log(event);
  });

  • broadcast and expect multiple acks (8b20457)

  Syntax:

  io.timeout(1000).emit("some-event", (err, responses) => {
    // ...
  });

  • add the "maxPayload" field in the handshake details (088dcb4)

  So that clients in HTTP long-polling can decide how many packets they have to send to stay under the maxHttpBufferSize
  value.

  This is a backward compatible change which should not mandate a new major revision of the protocol (we stay in v4), as
  we only add a field in the JSON-encoded handshake data:

  0{"sid":"lv_VI97HAXpY6yYWAAAC","upgrades":["websocket"],"pingInterval":25000,"pingTimeout":5000,"maxPayload":1000000}
  

  Links:

  • Diff: 4.4.1...4.5.0
  • Client release: 4.5.0
  • engine.io version: ~6.2.0 (diff)
  • ws version: ~8.2.3
• 4.4.1 - 2022-01-06
  

  Bug Fixes

  • types: make RemoteSocket.data type safe (#4234) (770ee59)
  • types: pass SocketData type to custom namespaces (#4233) (f2b8de7)

  Links:

  • Diff: 4.4.0...4.4.1
  • Client release: 4.4.1
  • engine.io version: ~6.1.0 (diff)
  • ws version: ~8.2.3
• 4.4.0 - 2021-11-18
  

  Bug Fixes

  • only set 'connected' to true after middleware execution (02b0f73)

  Features

  • add an implementation based on uWebSockets.js (c0d8c5a)
  const { App } = require("uWebSockets.js");
  const { Server } = require("socket.io");

  const app = new App();
  const io = new Server();

  io.attachApp(app);

  io.on("connection", (socket) => {
  // ...
  });

  app.listen(3000, (token) => {
  if (!token) {
  console.warn("port already in use");
  }
  });

  • add timeout feature (f0ed42f)

  socket.timeout(5000).emit("my-event", (err) => {
    if (err) {
      // the client did not acknowledge the event in the given delay
    }
  });

  • add type information to socket.data (#4159) (fe8730c)
  interface SocketData {
  name: string;
  age: number;
  }

  const io = new Server<ClientToServerEvents, ServerToClientEvents, InterServerEvents, SocketData>();

  io.on("connection", (socket) => {
  socket.data.name = "john";
  socket.data.age = 42;
  });

  Links:

  • Diff: 4.3.2...4.4.0
  • Client release: 4.4.0
  • engine.io version: ~6.1.0 (diff)
  • ws version: ~8.2.3
• 4.3.2 - 2021-11-08
  

  Bug Fixes

  • fix race condition in dynamic namespaces (#4137) (9d86397)

  Links:

  • Diff: 4.3.1...4.3.2
  • Client release: 4.3.2
  • engine.io version: ~6.0.0
  • ws version: ~8.2.3
• 4.3.1 - 2021-10-16
  

  Bug Fixes

  • fix server attachment (#4127) (0ef2a4d)

  Links:

  • Diff: 4.3.0...4.3.1
  • Client release: 4.3.1
  • engine.io version: ~6.0.0
  • ws version: ~8.2.3
• 4.3.0 - 2021-10-14
• 4.2.0 - 2021-08-30
• 4.1.3 - 2021-07-10
• 4.1.2 - 2021-05-17
• 4.1.1 - 2021-05-11
• 4.1.0 - 2021-05-11
• 4.0.2 - 2021-05-06
• 4.0.1 - 2021-03-31
• 4.0.0 - 2021-03-10
• 3.1.2 - 2021-02-26
• 3.1.1 - 2021-02-03
• 3.1.0 - 2021-01-15
• 3.0.5 - 2021-01-05
• 3.0.4 - 2020-12-07
• 3.0.3 - 2020-11-19
• 3.0.2 - 2020-11-17
• 3.0.1 - 2020-11-09
• 3.0.0 - 2020-11-05
• 3.0.0-rc4 - 2020-10-30
• 3.0.0-rc3 - 2020-10-26
• 3.0.0-rc2 - 2020-10-15
• 3.0.0-rc1 - 2020-10-13
• 2.5.0 - 2022-06-26
  

  ⚠️ WARNING ⚠️

  The default value of the maxHttpBufferSize option has been decreased from 100 MB to 1 MB, in order to prevent attacks by denial of service.

  Security advisory: GHSA-j4f2-536g-r55m

  Bug Fixes

  • fix race condition in dynamic namespaces (05e1278)
  • ignore packet received after disconnection (22d4bdf)
  • only set 'connected' to true after middleware execution (226cc16)
  • prevent the socket from joining a room after disconnection (f223178)

  Links:

  • Diff: 2.4.1...2.5.0
  • Client release: 2.5.0
  • engine.io version: ~3.6.0 (diff)
  • ws version: ~7.4.2

from socket.io GitHub release notes

Commit messages

Package name: socket.io

• 3b7ced7 chore(release): 4.5.4
• c00bb95 chore: bump engine.io to version 6.2.1
• 57e5f25 chore: bump socket.io-parser to version 4.2.1
• f4b6984 docs: add missing versions in the changelog
• 945c84b chore(release): 4.5.3
• d3d0a2d fix(typings): accept an HTTP2 server in the constructor
• 19b225b docs(examples): update dependencies of the basic CRUD example
• 8fae95d docs: add jsdoc for each public method
• e6f6b90 docs: add deprecation notice for the allSockets() method
• 596eb88 ci: upgrade to actions/checkout@3 and actions/setup-node@3
• e357daf fix(typings): apply types to "io.timeout(...).emit()" calls
• 10fa4a2 refactor: add list of possible disconnection reasons
• 8be95b3 chore(release): 4.5.2
• ba497ee fix(uws): prevent the server from crashing after upgrade
• 2803871 ci: add explicit permissions to workflow (#4466)
• 134226e refactor: add missing constraints (#4431)
• 9890b03 chore: bump dependencies
• 713a6b4 chore: bump mocha to version 10.0.0
• 18f3fda fix: prevent the socket from joining a room after disconnection
• 5ab8289 chore(release): 4.5.1
• 30430f0 fix: forward the local flag to the adapter when using fetchSockets()
• 9b43c91 fix(typings): add HTTPS server to accepted types (#4351)
• 8ecfcba chore(release): 4.5.0
• 572133a docs(examples): update example with webpack

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs