Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade: assert, body-parser, ejs, express, express-session, express-validator, helmet, nodemon, socket.io #288

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

dIwnsgml
Copy link
Owner

snyk-top-banner

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name Versions Released on

assert
from 2.0.0 to 2.1.0 | 1 version ahead of your current version | a year ago
on 2023-09-07
body-parser
from 1.19.2 to 1.20.2 | 3 versions ahead of your current version | 2 years ago
on 2023-02-22
ejs
from 3.1.7 to 3.1.10 | 3 versions ahead of your current version | 5 months ago
on 2024-04-12
express
from 4.17.3 to 4.19.2 | 7 versions ahead of your current version | 6 months ago
on 2024-03-25
express-session
from 1.17.2 to 1.18.0 | 2 versions ahead of your current version | 7 months ago
on 2024-01-28
express-validator
from 5.3.0 to 5.3.1 | 1 version ahead of your current version | 6 years ago
on 2018-12-23
helmet
from 5.0.2 to 5.1.1 | 2 versions ahead of your current version | 2 years ago
on 2022-07-23
nodemon
from 2.0.15 to 2.0.22 | 7 versions ahead of your current version | a year ago
on 2023-03-22
socket.io
from 4.4.1 to 4.7.5 | 15 versions ahead of your current version | 6 months ago
on 2024-03-14

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
critical severity Improper Input Validation
SNYK-JS-SOCKETIOPARSER-3091012
490 No Known Exploit
high severity Denial of Service (DoS)
SNYK-JS-SOCKETIOPARSER-5596892
490 No Known Exploit
high severity Denial of Service (DoS)
SNYK-JS-ENGINEIO-3136336
490 No Known Exploit
high severity Uncaught Exception
SNYK-JS-ENGINEIO-5496331
490 No Known Exploit
high severity Uncaught Exception
SNYK-JS-SOCKETIO-7278048
490 No Known Exploit
high severity Denial of Service (DoS)
SNYK-JS-WS-7266574
490 Proof of Concept
medium severity Improper Control of Dynamically-Managed Code Resources
SNYK-JS-EJS-6689533
490 No Known Exploit
medium severity Open Redirect
SNYK-JS-EXPRESS-6474509
490 No Known Exploit
medium severity Open Redirect
SNYK-JS-GOT-2932019
490 No Known Exploit
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-HTTPCACHESEMANTICS-3248783
490 Proof of Concept
low severity Prototype Pollution
SNYK-JS-MINIMIST-2429795
490 Proof of Concept
Release notes
Package name: assert
  • 2.1.0 - 2023-09-07
  • 2.0.0 - 2019-05-12

    Note: Support for IE9 and IE10 has been dropped. IE11 is still supported.

from assert GitHub release notes
Package name: body-parser
  • 1.20.2 - 2023-02-22
    • Fix strict json error message on Node.js 19+
    • deps: content-type@~1.0.5
      • perf: skip value escaping when unnecessary
    • deps: raw-body@2.5.2
  • 1.20.1 - 2022-10-06
    • deps: qs@6.11.0
    • perf: remove unnecessary object clone
  • 1.20.0 - 2022-04-03
    • Fix error message for json parse whitespace in strict
    • Fix internal error when inflated body exceeds limit
    • Prevent loss of async hooks context
    • Prevent hanging when request already read
    • deps: depd@2.0.0
      • Replace internal eval usage with Function constructor
      • Use instance methods on process to check for listeners
    • deps: http-errors@2.0.0
      • deps: depd@2.0.0
      • deps: statuses@2.0.1
    • deps: on-finished@2.4.1
    • deps: qs@6.10.3
    • deps: raw-body@2.5.1
      • deps: http-errors@2.0.0
  • 1.19.2 - 2022-02-16
    • deps: bytes@3.1.2
    • deps: qs@6.9.7
      • Fix handling of __proto__ keys
    • deps: raw-body@2.4.3
      • deps: bytes@3.1.2
from body-parser GitHub release notes
Package name: ejs from ejs GitHub release notes
Package name: express
  • 4.19.2 - 2024-03-25
  • 4.19.1 - 2024-03-20

    What's Changed

    Full Changelog: 4.19.0...4.19.1

  • 4.19.0 - 2024-03-20

    What's Changed

    New Contributors

    Full Changelog: 4.18.3...4.19.0

  • 4.18.3 - 2024-02-29

    Main Changes

    • Fix routing requests without method
    • deps: body-parser@1.20.2
      • Fix strict json error message on Node.js 19+
      • deps: content-type@~1.0.5
      • deps: raw-body@2.5.2

    Other Changes

    New Contributors

    Full Changelog: 4.18.2...4.18.3

  • 4.18.2 - 2022-10-08
    • Fix regression routing a large stack in a single route
    • deps: body-parser@1.20.1
      • deps: qs@6.11.0
      • perf: remove unnecessary object clone
    • deps: qs@6.11.0
  • 4.18.1 - 2022-04-29
    • Fix hanging on large stack of sync routes
  • 4.18.0 - 2022-04-25
    • Add "root" option to res.download
    • Allow options without filename in res.download
    • Deprecate string and non-integer arguments to res.status
    • Fix behavior of null/undefined as maxAge in res.cookie
    • Fix handling very large stacks of sync middleware
    • Ignore Object.prototype values in settings through app.set/app.get
    • Invoke default with same arguments as types in res.format
    • Support proper 205 responses using res.send
    • Use http-errors for res.format error
    • deps: body-parser@1.20.0
      • Fix error message for json parse whitespace in strict
      • Fix internal error when inflated body exceeds limit
      • Prevent loss of async hooks context
      • Prevent hanging when request already read
      • deps: depd@2.0.0
      • deps: http-errors@2.0.0
      • deps: on-finished@2.4.1
      • deps: qs@6.10.3
      • deps: raw-body@2.5.1
    • deps: cookie@0.5.0
      • Add priority option
      • Fix expires option to reject invalid dates
    • deps: depd@2.0.0
      • Replace internal eval usage with Function constructor
      • Use instance methods on process to check for listeners
    • deps: finalhandler@1.2.0
      • Remove set content headers that break response
      • deps: on-finished@2.4.1
      • deps: statuses@2.0.1
    • deps: on-finished@2.4.1
      • Prevent loss of async hooks context
    • deps: qs@6.10.3
    • deps: send@0.18.0
      • Fix emitted 416 error missing headers property
      • Limit the headers removed for 304 response
      • deps: depd@2.0.0
      • deps: destroy@1.2.0
      • deps: http-errors@2.0.0
      • deps: on-finished@2.4.1
      • deps: statuses@2.0.1
    • deps: serve-static@1.15.0
      • deps: send@0.18.0
    • deps: statuses@2.0.1
      • Remove code 306
      • Rename 425 Unordered Collection to standard 425 Too Early
  • 4.17.3 - 2022-02-17
    • deps: accepts@~1.3.8
      • deps: mime-types@~2.1.34
      • deps: negotiator@0.6.3
    • deps: body-parser@1.19.2
      • deps: bytes@3.1.2
      • deps: qs@6.9.7
      • deps: raw-body@2.4.3
    • deps: cookie@0.4.2
    • deps: qs@6.9.7
      • Fix handling of __proto__ keys
    • pref: remove unnecessary regexp for trust proxy
from express GitHub release notes
Package name: express-session
  • 1.18.0 - 2024-01-28
    • Add debug log for pathname mismatch
    • Add partitioned to cookie options
    • Add priority to cookie options
    • Fix handling errors from setting cookie
    • Support any type in secret that crypto.createHmac supports
    • deps: cookie@0.6.0
      • Fix expires option to reject invalid dates
      • perf: improve default decode speed
      • perf: remove slow string split in parse
    • deps: cookie-signature@1.0.7
  • 1.17.3 - 2022-05-11
    • Fix resaving already-saved new session at end of request
    • deps: cookie@0.4.2
  • 1.17.2 - 2021-05-19
    • Fix res.end patch to always commit headers
    • deps: cookie@0.4.1
    • deps: safe-buffer@5.2.1
from express-session GitHub release notes
Package name: express-validator
  • 5.3.1 - 2018-12-23
    • #673 - check: add missing ; that would cause TypeScript to throw syntax errors
  • 5.3.0 - 2018-07-23
    • #579 - docs: major overhaul, and a new home!
      See https://express-validator.github.io for them, with version selection available ✨
    • #473, #570 - check: add checkNull and checkFalsy options to exists validator
    • #568, #577 - filter: allow including optionals when using matchedData()
    • #584 - check: don't call sanitizers twice
    • #593 - check: don't fail when custom validator returns nothing
    • #598 - check: persist empty validations as the request location itself
    • Upgrade validator to v10.4.0
from express-validator GitHub release notes
Package name: helmet from helmet GitHub release notes
Package name: nodemon from nodemon GitHub release notes
Package name: socket.io
  • 4.7.5 - 2024-03-14

    Bug Fixes

    • close the adapters when the server is closed (bf64870)
    • remove duplicate pipeline when serving bundle (e426f3e)

    Links

  • 4.7.4 - 2024-01-12

    Bug Fixes

    • typings: calling io.emit with no arguments incorrectly errored (cb6d2e0), closes #4914

    Links

  • 4.7.3 - 2024-01-03

    Bug Fixes

    • return the first response when broadcasting to a single socket (#4878) (df8e70f)
    • typings: allow to bind to a non-secure Http2Server (#4853) (8c9ebc3)

    Links

  • 4.7.2 - 2023-08-02

    Bug Fixes

    • clean up child namespace when client is rejected in middleware (#4773) (0731c0d)
    • webtransport: properly handle WebTransport-only connections (3468a19)
    • webtransport: add proper framing (a306db0)

    Links

  • 4.7.1 - 2023-06-28

    The client bundle contains a few fixes regarding the WebTransport support.

    Links

  • 4.7.0 - 2023-06-22

    Bug Fixes

    • remove the Partial modifier from the socket.data type (#4740) (e5c62ca)

    Features

    Support for WebTransport

    The Socket.IO server can now use WebTransport as the underlying transport.

    WebTransport is a web API that uses the HTTP/3 protocol as a bidirectional transport. It's intended for two-way communications between a web client and an HTTP/3 server.

    References:

    Until WebTransport support lands in Node.js, you can use the @ fails-components/webtransport package:

    https://w3c.github.io/webtransport/#custom-certificate-requirements)
    const cert = readFileSync("/path/to/my/cert.pem");
    const key = readFileSync("/path/to/my/key.pem");

    const httpsServer = createServer({
    key,
    cert
    });

    httpsServer.listen(3000);

    const io = new Server(httpsServer, {
    transports: ["polling", "websocket", "webtransport"] // WebTransport is not enabled by default
    });

    const h3Server = new Http3Server({
    port: 3000,
    host: "0.0.0.0",
    secret: "changeit",
    cert,
    privKey: key,
    });

    (async () => {
    const stream = await h3Server.sessionStream("/socket.io/");
    const sessionReader = stream.getReader();

    while (true) {
    const { done, value } = await sessionReader.read();
    if (done) {
    break;
    }
    io.engine.onWebTransportSession(value);
    }
    })();

    h3Server.startServer();">

    import { readFileSync } from "fs";
    import { createServer } from "https";
    import { Server } from "socket.io";
    import { Http3Server } from "@ fails-components/webtransport";

    // WARNING: the total length of the validity period MUST NOT exceed two weeks (https://w3c.github.io/webtransport/#custom-certificate-requirements)
    const cert = readFileSync("/path/to/my/cert.pem");
    const key = readFileSync("/path/to/my/key.pem");

    const httpsServer = createServer({
    key,
    cert
    });

    httpsServer.listen(3000);

    const io = new Server(httpsServer, {
    transports: ["polling", "websocket", "webtransport"] // WebTransport is not enabled by default
    });

    const h3Server = new Http3Server({
    port: 3000,
    host: "0.0.0.0",
    secret: "changeit",
    cert,
    privKey: key,
    });

    (async () => {
    const stream = await h3Server.sessionStream("/socket.io/");
    const sessionReader = stream.getReader();

    while (true) {
    const { done, value } = await sessionReader.read();
    if (done) {
    break;
    }
    io.engine.onWebTransportSession(value);
    }
    })();

    h3Server.startServer();

    Added in 123b68c.

    Client bundles with CORS headers

    The bundles will now have the right Access-Control-Allow-xxx headers.

    Added in 63f181c.

    Links

  • 4.6.2 - 2023-05-31

    Bug Fixes

    • exports: move types condition to the top (#4698) (3d44aae)

    Links

  • 4.6.1 - 2023-02-20
  • 4.6.0 - 2023-02-07
  • 4.6.0-alpha1 - 2023-01-25
  • 4.5.4 - 2022-11-22
  • 4.5.3 - 2022-10-15
  • 4.5.2 - 2022-09-02
  • 4.5.1 - 2022-05-17
  • 4.5.0 - 2022-04-23
  • 4.4.1 - 2022-01-06
from socket.io GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

[//]: # 'snyk:metadata:{"customTemplate":{"variablesUsed":[],"fieldsUsed":[]},"dependencies":[{"name":"assert","from":"2.0.0","to":"2.1.0"},{"name":"body-pa...

Snyk has created this PR to upgrade:
  - assert from 2.0.0 to 2.1.0.
    See this package in npm: https://www.npmjs.com/package/assert
  - body-parser from 1.19.2 to 1.20.2.
    See this package in npm: https://www.npmjs.com/package/body-parser
  - ejs from 3.1.7 to 3.1.10.
    See this package in npm: https://www.npmjs.com/package/ejs
  - express from 4.17.3 to 4.19.2.
    See this package in npm: https://www.npmjs.com/package/express
  - express-session from 1.17.2 to 1.18.0.
    See this package in npm: https://www.npmjs.com/package/express-session
  - express-validator from 5.3.0 to 5.3.1.
    See this package in npm: https://www.npmjs.com/package/express-validator
  - helmet from 5.0.2 to 5.1.1.
    See this package in npm: https://www.npmjs.com/package/helmet
  - nodemon from 2.0.15 to 2.0.22.
    See this package in npm: https://www.npmjs.com/package/nodemon
  - socket.io from 4.4.1 to 4.7.5.
    See this package in npm: https://www.npmjs.com/package/socket.io

See this project in Snyk:
https://app.snyk.io/org/biiigay/project/60fa2084-8db5-44a1-a5cb-22fe5c2a36c5?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants