Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency engine.io to >= 6.4.2 [security] - autoclosed #678

Closed
wants to merge 1 commit into from
Closed

chore(deps): update dependency engine.io to >= 6.4.2 [security] - autoclosed #678

wants to merge 1 commit into from

Conversation

svc-secops
Copy link
Contributor

@svc-secops svc-secops commented Dec 21, 2023
edited
Loading

This PR contains the following updates:

Package Change
engine.io [6.2.1 -> >= 6.4.2](https://renovatebot.com/diffs/npm/engine.io/6.2.1/>= 6.4.2)

GitHub Vulnerability Alerts

CVE-2023-31125

Impact

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

TypeError: Cannot read properties of undefined (reading 'handlesUpgrades')
    at Server.onWebSocket (build/server.js:515:67)

This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.

Patches

A fix has been released today (2023/05/02): 6.4.2

This bug was introduced in version 5.1.0 and included in version 4.1.0 of the socket.io parent package. Older versions are not impacted.

For socket.io users:

Version range engine.io version Needs minor update?
socket.io@4.6.x ~6.4.0 npm audit fix should be sufficient
socket.io@4.5.x ~6.2.0 Please upgrade to socket.io@4.6.x
socket.io@4.4.x ~6.1.0 Please upgrade to socket.io@4.6.x
socket.io@4.3.x ~6.0.0 Please upgrade to socket.io@4.6.x
socket.io@4.2.x ~5.2.0 Please upgrade to socket.io@4.6.x
socket.io@4.1.x ~5.1.1 Please upgrade to socket.io@4.6.x
socket.io@4.0.x ~5.0.0 Not impacted
socket.io@3.1.x ~4.1.0 Not impacted
socket.io@3.0.x ~4.0.0 Not impacted
socket.io@2.5.0 ~3.6.0 Not impacted
socket.io@2.4.x and below ~3.5.0 Not impacted

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Thanks to Thomas Rinsma from Codean for the responsible disclosure.

Configuration

📅 Schedule: Branch creation - "" in timezone Etc/UTC, Automerge - "after 8am and before 4pm on tuesday" in timezone Etc/UTC.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Renovate Bot.

@svc-secops svc-secops requested a review from a team as a code owner December 21, 2023 13:07
@svc-secops svc-secops added dependencies Pull requests that update a dependency file vulnerability labels Dec 21, 2023
@svc-secops
Copy link
Contributor Author

svc-secops commented Dec 21, 2023
edited
Loading

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json
npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR! 
npm ERR! While resolving: docs@undefined
npm ERR! Found: react@17.0.2
npm ERR! node_modules/react
npm ERR!   react@"^17.0.2" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer react@"^18.0.0 || ^0.0.0" from gatsby@5.10.0
npm ERR! node_modules/gatsby
npm ERR!   gatsby@"5.10.0" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /tmp/renovate/cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /tmp/renovate/cache/others/npm/_logs/2024-05-09T12_35_52_773Z-debug-0.log

@netlify Netlify
Copy link

netlify bot commented Dec 21, 2023
edited
Loading

Deploy Preview for apollo-monodocs failed.

Name Link
🔨 Latest commit 4dd3e13
🔍 Latest deploy log https://app.netlify.com/sites/apollo-monodocs/deploys/6676b0590e72b90008d72eb8

@svc-secops svc-secops force-pushed the renovate/npm-engine.io-vulnerability branch 6 times, most recently from f21d73c to 2961c38 Compare January 10, 2024 12:58
@svc-secops svc-secops force-pushed the renovate/npm-engine.io-vulnerability branch 4 times, most recently from 493a275 to efc812d Compare January 17, 2024 12:57
@svc-secops svc-secops force-pushed the renovate/npm-engine.io-vulnerability branch 4 times, most recently from b45f745 to bdbc285 Compare January 24, 2024 12:19
@svc-secops svc-secops force-pushed the renovate/npm-engine.io-vulnerability branch from bdbc285 to 02dd676 Compare January 26, 2024 12:54
@svc-secops svc-secops force-pushed the renovate/npm-engine.io-vulnerability branch 4 times, most recently from 7233bcc to 7037efb Compare February 8, 2024 12:30
@svc-secops svc-secops force-pushed the renovate/npm-engine.io-vulnerability branch 5 times, most recently from 05a8ec5 to f5c1e8f Compare February 21, 2024 12:41
@svc-secops svc-secops force-pushed the renovate/npm-engine.io-vulnerability branch from f5c1e8f to d9361a1 Compare February 22, 2024 12:38
@svc-secops svc-secops force-pushed the renovate/npm-engine.io-vulnerability branch 2 times, most recently from 0165202 to cfe67ce Compare May 1, 2024 11:46
@svc-secops svc-secops force-pushed the renovate/npm-engine.io-vulnerability branch 2 times, most recently from 5217b09 to 003722d Compare May 9, 2024 12:36
@svc-secops
Copy link
Contributor Author

svc-secops commented May 11, 2024
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json
npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR! 
npm ERR! While resolving: docs@undefined
npm ERR! Found: react@17.0.2
npm ERR! node_modules/react
npm ERR!   react@"^17.0.2" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer react@"^18.0.0 || ^0.0.0" from gatsby@5.10.0
npm ERR! node_modules/gatsby
npm ERR!   gatsby@"5.10.0" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /tmp/renovate/cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /tmp/renovate/cache/others/npm/_logs/2024-06-22T11_06_56_389Z-debug-0.log

@svc-secops svc-secops force-pushed the renovate/npm-engine.io-vulnerability branch 2 times, most recently from bc78a09 to 38f906d Compare May 15, 2024 12:12
@svc-secops svc-secops force-pushed the renovate/npm-engine.io-vulnerability branch 5 times, most recently from af659df to 64e84b2 Compare May 25, 2024 11:48
@svc-secops svc-secops force-pushed the renovate/npm-engine.io-vulnerability branch 4 times, most recently from 0681a19 to 4196656 Compare June 5, 2024 11:08
@svc-secops svc-secops force-pushed the renovate/npm-engine.io-vulnerability branch 5 times, most recently from 8f49e3c to f9cb148 Compare June 12, 2024 13:49
@svc-secops svc-secops force-pushed the renovate/npm-engine.io-vulnerability branch 2 times, most recently from 91c5537 to b2b1f40 Compare June 14, 2024 12:40
@svc-secops svc-secops force-pushed the renovate/npm-engine.io-vulnerability branch from b2b1f40 to 43f254c Compare June 21, 2024 12:30
@svc-secops svc-secops force-pushed the renovate/npm-engine.io-vulnerability branch from 43f254c to 4dd3e13 Compare June 22, 2024 11:07
@svc-secops svc-secops changed the title chore(deps): update dependency engine.io to 6.4.2 [security] chore(deps): update dependency engine.io to >= 6.4.2 [security] Jun 25, 2024
@svc-secops svc-secops changed the title chore(deps): update dependency engine.io to >= 6.4.2 [security] chore(deps): update dependency engine.io to >= 6.4.2 [security] - autoclosed Sep 12, 2024
@svc-secops svc-secops closed this Sep 12, 2024
@svc-secops svc-secops deleted the renovate/npm-engine.io-vulnerability branch September 12, 2024 13:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@svc-secops