-
Notifications
You must be signed in to change notification settings - Fork 52
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency engine.io to >= 6.4.2 [security] - autoclosed #678
Conversation
⚠ Artifact update problemRenovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is. ♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
The artifact failure details are included below: File name: package-lock.json
|
❌ Deploy Preview for apollo-monodocs failed.
|
f21d73c
to
2961c38
Compare
493a275
to
efc812d
Compare
b45f745
to
bdbc285
Compare
bdbc285
to
02dd676
Compare
7233bcc
to
7037efb
Compare
05a8ec5
to
f5c1e8f
Compare
f5c1e8f
to
d9361a1
Compare
0165202
to
cfe67ce
Compare
5217b09
to
003722d
Compare
|
bc78a09
to
38f906d
Compare
af659df
to
64e84b2
Compare
0681a19
to
4196656
Compare
8f49e3c
to
f9cb148
Compare
91c5537
to
b2b1f40
Compare
b2b1f40
to
43f254c
Compare
43f254c
to
4dd3e13
Compare
This PR contains the following updates:
6.2.1
->>= 6.4.2
](https://renovatebot.com/diffs/npm/engine.io/6.2.1/>= 6.4.2)GitHub Vulnerability Alerts
CVE-2023-31125
Impact
A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.
This impacts all the users of the
engine.io
package, including those who uses depending packages likesocket.io
.Patches
A fix has been released today (2023/05/02): 6.4.2
This bug was introduced in version 5.1.0 and included in version 4.1.0 of the
socket.io
parent package. Older versions are not impacted.For
socket.io
users:engine.io
versionsocket.io@4.6.x
~6.4.0
npm audit fix
should be sufficientsocket.io@4.5.x
~6.2.0
socket.io@4.6.x
socket.io@4.4.x
~6.1.0
socket.io@4.6.x
socket.io@4.3.x
~6.0.0
socket.io@4.6.x
socket.io@4.2.x
~5.2.0
socket.io@4.6.x
socket.io@4.1.x
~5.1.1
socket.io@4.6.x
socket.io@4.0.x
~5.0.0
socket.io@3.1.x
~4.1.0
socket.io@3.0.x
~4.0.0
socket.io@2.5.0
~3.6.0
socket.io@2.4.x
and below~3.5.0
Workarounds
There is no known workaround except upgrading to a safe version.
For more information
If you have any questions or comments about this advisory:
engine.io
Thanks to Thomas Rinsma from Codean for the responsible disclosure.
Configuration
📅 Schedule: Branch creation - "" in timezone Etc/UTC, Automerge - "after 8am and before 4pm on tuesday" in timezone Etc/UTC.
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.