dependency(deps): update dependency engine.io to v6.4.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
engine.io	6.2.1 -> 6.4.2

GitHub Vulnerability Alerts

CVE-2023-31125

Impact

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

TypeError: Cannot read properties of undefined (reading 'handlesUpgrades')
    at Server.onWebSocket (build/server.js:515:67)

This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.

Patches

A fix has been released today (2023/05/02): 6.4.2

This bug was introduced in version 5.1.0 and included in version 4.1.0 of the socket.io parent package. Older versions are not impacted.

For socket.io users:

Version range	engine.io version	Needs minor update?
socket.io@4.6.x	~6.4.0	npm audit fix should be sufficient
socket.io@4.5.x	~6.2.0	Please upgrade to socket.io@4.6.x
socket.io@4.4.x	~6.1.0	Please upgrade to socket.io@4.6.x
socket.io@4.3.x	~6.0.0	Please upgrade to socket.io@4.6.x
socket.io@4.2.x	~5.2.0	Please upgrade to socket.io@4.6.x
socket.io@4.1.x	~5.1.1	Please upgrade to socket.io@4.6.x
socket.io@4.0.x	~5.0.0	Not impacted
socket.io@3.1.x	~4.1.0	Not impacted
socket.io@3.0.x	~4.0.0	Not impacted
socket.io@2.5.0	~3.6.0	Not impacted
socket.io@2.4.x and below	~3.5.0	Not impacted

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

• Open an issue in engine.io

Thanks to Thomas Rinsma from Codean for the responsible disclosure.

---

Release Notes

socketio/engine.io

v6.4.2

Compare Source

⚠️ This release contains an important security fix ⚠️

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

TypeError: Cannot read properties of undefined (reading 'handlesUpgrades')
  at Server.onWebSocket (build/server.js:515:67)

Please upgrade as soon as possible.

Bug Fixes

• include error handling for Express middlewares (#​674) (9395782)
• prevent crash when provided with an invalid query param (fc480b4)
• typings: make clientsCount public (#​675) (bd6d471)
• uws: prevent crash when using with middlewares (8b22162)

Credits

Huge thanks to @​tyilo and @​cieldeville for helping!

Dependencies

• ws@~8.11.0 (no change)

v6.4.1

Compare Source

This release contains 6e78489, which exports the BaseServer class in order to restore the compatibility with the nodenext module resolution strategy of TypeScript.

Reference: https://www.typescriptlang.org/tsconfig/#moduleResolution

Related: https://github.com/socketio/socket.io/issues/4621

Dependencies

• ws@~8.11.0 (no change)

v6.4.0

Compare Source

Features

• add support for Express middlewares (24786e7)

This commit implements middlewares at the Engine.IO level, because Socket.IO middlewares are meant for namespace authorization and are not executed during a classic HTTP request/response cycle.

A workaround was possible by using the allowRequest option and the "headers" event, but this feels way cleaner and works with upgrade requests too.

Syntax:

engine.use((req, res, next) => {
  // do something

  next();
});

// with express-session
import session from "express-session";

engine.use(session({
  secret: "keyboard cat",
  resave: false,
  saveUninitialized: true,
  cookie: { secure: true }
}));

// with helmet
import helmet from "helmet";

engine.use(helmet());

Dependencies

• ws@~8.11.0 (no change)

v6.3.1

Compare Source

Dependencies

• ws@~8.11.0 (no change)

v6.3.0

Compare Source

Bug Fixes

• fix the ES module wrapper (ed87609)
• wait for all packets to be sent before closing the WebSocket connection (a65a047)

Features

• add the "addTrailingSlash" option (#​655) (d0fd474)

The trailing slash which was added by default can now be disabled:

import { Server } from "engine.io";

const server = new Server();

server.attach(httpServer, {
  addTrailingSlash: false
});

In the example above, the clients can omit the trailing slash and use /engine.io instead of /engine.io/.

Performance Improvements

• add the wsPreEncodedFrame option (5e34722)

This will be used when broadcasting packets at the Socket.IO level.

See also: socketio/socket.io-adapter@5f7b47d

Dependencies

• ws@~8.11.0 (diff)

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[cypress]

6 flaky tests on run #46031 ↗︎

0

5407

96

0

6

Details:

updating changelog
Project: cypress	Commit: 2ad4254397
Status: Passed	Duration: 13:14 💡
Started: May 4, 2023 9:40 PM	Ended: May 4, 2023 9:53 PM

  commands/net_stubbing.cy.ts • 1 flaky test • 5x-driver-electron

View Output Video

Test		Artifacts
network stubbing > intercepting request > can delay and throttle a StaticResponse		Output Video

  cypress/cypress.cy.js • 3 flaky tests • 5x-driver-electron

View Output Video

Test		Artifacts
... > correctly returns currentRetry		Output Video
... > correctly returns currentRetry		Output Video
... > correctly returns currentRetry		Output Video

  project-setup.cy.ts • 2 flaky tests • launchpad-e2e

View Output Video

Test		Artifacts
... > shows the configuration setup page when selecting e2e tests		Output Screenshots Video
... > can skip setup CT testing for an E2E project		Output Screenshots Video

_{This comment has been generated by cypress-bot as a result of this project's GitHub integration settings.}

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.

[cypress-bot]

Released in 12.12.0.

This comment thread has been locked. If you are still experiencing this issue after upgrading to
Cypress v12.12.0, please open a new issue.