Skip to content

fix(deps): update dependency socket.io-parser to v4.2.3 [security] #32542

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

fix(deps): update dependency socket.io-parser to v4.2.3 [security] #32542

wants to merge 1 commit into from
+12 −8

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 22, 2025
edited
Loading

Note

Mend has cancelled the proposed renaming of the Renovate GitHub app being renamed to mend[bot].

This notice will be removed on 2025-10-07.

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
socket.io-parser 4.0.5 -> 4.2.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-32695

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

TypeError: Cannot convert object to primitive value
       at Socket.emit (node:events:507:25)
       at .../node_modules/socket.io/lib/socket.js:531:14

Patches

A fix has been released today (2023/05/22):

Another fix has been released for the 3.3.x branch:

socket.io version socket.io-parser version Needs minor update?
4.5.2...latest ~4.2.0 (ref) npm audit fix should be sufficient
4.1.3...4.5.1 ~4.1.1 (ref) Please upgrade to socket.io@4.6.x
3.0.5...4.1.2 ~4.0.3 (ref) Please upgrade to socket.io@4.6.x
3.0.0...3.0.4 ~4.0.1 (ref) Please upgrade to socket.io@4.6.x
2.3.0...2.5.0 ~3.4.0 (ref) npm audit fix should be sufficient

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

  • Open a discussion here

Thanks to @​rafax00 for the responsible disclosure.

Release Notes

Automattic/socket.io-parser (socket.io-parser)

v4.2.3

Compare Source

⚠️ This release contains an important security fix ⚠️

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

TypeError: Cannot convert object to primitive value
       at Socket.emit (node:events:507:25)
       at .../node_modules/socket.io/lib/socket.js:531:14

Please upgrade as soon as possible.

Bug Fixes
  • check the format of the event name (3b78117)
Links

v4.2.2

Compare Source

Bug Fixes
  • calling destroy() should clear all internal state (22c42e3)
  • do not modify the input packet upon encoding (ae8dd88)
Links

v4.2.1

Compare Source

Bug Fixes
  • check the format of the index of each attachment (b5d0cb7)
Links

v4.2.0

Compare Source

Features
Links

v4.1.2

Compare Source

Bug Fixes
  • allow objects with a null prototype in binary packets (#​114) (7f6b262)
Links

v4.1.1

Compare Source

Links

v4.1.0

Compare Source

Features
  • provide an ESM build with and without debug (388c616)
Links

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@cypress-app-bot
Copy link
Collaborator

See the guidelines for reviewing dependency updates for info on how to review dependency update PRs.

@renovate renovate bot force-pushed the renovate/npm-socket.io-parser-vulnerability branch 7 times, most recently from 8a50032 to 552d1ab Compare September 23, 2025 15:32
cursor[bot]

This comment was marked as outdated.

Sign in to view

@renovate renovate bot force-pushed the renovate/npm-socket.io-parser-vulnerability branch 13 times, most recently from 854f5eb to bd2de59 Compare September 30, 2025 14:06
@renovate renovate bot force-pushed the renovate/npm-socket.io-parser-vulnerability branch 7 times, most recently from 2f9d446 to 1abbee5 Compare October 2, 2025 13:41
@renovate renovate bot force-pushed the renovate/npm-socket.io-parser-vulnerability branch 15 times, most recently from fb088f1 to 8b4dabb Compare October 3, 2025 19:57
@renovate renovate bot force-pushed the renovate/npm-socket.io-parser-vulnerability branch from 8b4dabb to 0fa8206 Compare October 4, 2025 14:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
type: dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@cypress-app-bot