Skip to content

[Snyk] Upgrade socket.io from 2.2.0 to 2.4.1#35

Open
snyk-bot wants to merge 1 commit intomasterfrom
snyk-upgrade-a6bc6bd69542c165cbd853b47ef3573d
Open

[Snyk] Upgrade socket.io from 2.2.0 to 2.4.1#35
snyk-bot wants to merge 1 commit intomasterfrom
snyk-upgrade-a6bc6bd69542c165cbd853b47ef3573d

Conversation

@snyk-bot
Copy link
Copy Markdown

@snyk-bot snyk-bot commented Dec 23, 2021

Snyk has created this PR to upgrade socket.io from 2.2.0 to 2.4.1.

merge advice
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 3 versions ahead of your current version.
  • The recommended version was released a year ago, on 2021-01-07.

The recommended version fixes:

Severity Issue PriorityScore (*) Exploit Maturity
Access Restriction Bypass
SNYK-JS-XMLHTTPREQUESTSSL-1255647		 472/1000
Why? Proof of Concept exploit, CVSS 7.3		 Proof of Concept
Arbitrary Code Injection
SNYK-JS-XMLHTTPREQUESTSSL-1082936		 472/1000
Why? Proof of Concept exploit, CVSS 7.3		 Proof of Concept
Denial of Service (DoS)
SNYK-JS-SOCKETIOPARSER-1056752		 472/1000
Why? Proof of Concept exploit, CVSS 7.3		 Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-WS-1296835		 472/1000
Why? Proof of Concept exploit, CVSS 7.3		 Proof of Concept
Insecure Defaults
SNYK-JS-SOCKETIO-1024859		 472/1000
Why? Proof of Concept exploit, CVSS 7.3		 Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes
Package name: socket.io
  • 2.4.1 - 2021-01-07
  • 2.4.0 - 2021-01-04
  • 2.3.0 - 2019-09-20
  • 2.2.0 - 2018-11-28
from socket.io GitHub release notes
Commit messages
Package name: socket.io
  • e6b8697 chore(release): 2.4.1
  • a169050 revert: fix(security): do not allow all origins by default
  • 873fdc5 chore(release): 2.4.0
  • f78a575 fix(security): do not allow all origins by default
  • d33a619 fix: properly overwrite the query sent in the handshake
  • 3951a79 chore: bump engine.io version
  • 6fa026f ci: migrate to GitHub Actions
  • 47161a6 [chore] Release 2.3.0
  • cf39362 [chore] Bump socket.io-parser to version 3.4.0
  • 4d01b2c test: remove deprecated Buffer usage (#3481)
  • 8227192 [docs] Fix the default value of the 'origins' parameter (#3464)
  • 1150eb5 [chore] Bump engine.io to version 3.4.0
  • 9c1e73c [chore] Update the license of the chat example (#3410)

Compare

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

cla:signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@snyk-bot