This repository has been archived by the owner on Jan 30, 2023. It is now read-only.
Update dependency socket.io to ~2.5.0 [SECURITY] #8
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
~2.0.0
->~2.5.0
GitHub Vulnerability Alerts
CVE-2020-28481
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
Release Notes
socketio/socket.io
v2.5.0
Compare Source
The default value of the
maxHttpBufferSize
option has been decreased from 100 MB to 1 MB, in order to prevent attacks by denial of service.Security advisory: GHSA-j4f2-536g-r55m
Bug Fixes
Links:
~3.6.0
(diff)~7.4.2
v2.4.1
Compare Source
This release reverts the breaking change introduced in
2.4.0
(socketio/socket.io@f78a575).If you are using Socket.IO v2, you should explicitly allow/disallow cross-origin requests:
In any case, please consider upgrading to Socket.IO v3, where this security issue is now fixed (CORS is disabled by default).
Reverts
Links:
~3.5.0
~7.4.2
v2.4.0
Compare Source
Related blog post: https://socket.io/blog/socket-io-2-4-0/
Features (from Engine.IO)
Bug Fixes
Previously, CORS was enabled by default, which meant that a Socket.IO server sent the necessary CORS headers (
Access-Control-Allow-xxx
) to any domain. This will not be the case anymore, and you now have to explicitly enable it.Please note that you are not impacted if:
origins
option to restrict the list of allowed domainsThis commit also removes the support for '*' matchers and protocol-less URL:
To restore the previous behavior (please use with caution):
See also:
Thanks a lot to @ni8walk3r for the security report.
Links:
~3.5.0
~7.4.2
v2.3.0
Compare Source
This release mainly contains a bump of the
engine.io
andws
packages, but no additional features.Links:
~3.4.0
(diff: socketio/engine.io@3.3.1...3.4.2)^7.1.2
(diff: websockets/ws@6.1.2...7.3.1)v2.2.0
Compare Source
Features
Bug fixes
Links
~3.3.1
(diff: socketio/engine.io@3.2.0...3.3.1)~6.1.0
(diff: websockets/ws@3.3.1...6.1.2)v2.1.1
Compare Source
Features
Bug fixes
(client) fire an error event on middleware failure for non-root namespace (socketio/socket.io-client#1202)
Links:
~3.2.0
~3.3.1
v2.1.0
Compare Source
Features
Bug fixes
Important note⚠️ from Engine.IO 3.2.0 release
There are two non-breaking changes that are somehow quite important:
ws
was reverted as the default wsEngine ([chore] Revert tows
as default wsEngine socketio/engine.io#550), as there was several blocking issues withuws
. You can still useuws
by runningnpm install uws --save
in your project and using thewsEngine
option:pingTimeout
now defaults to 5 seconds (instead of 60 seconds): [chore] Update default value of pingTimeout socketio/engine.io#551Links:
~3.2.0
(diff: socketio/engine.io@3.1.0...3.2.0)~3.3.1
(diff: websockets/ws@2.3.1...3.3.1)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.