New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 6 vulnerabilities #3

Open

snyk-bot wants to merge 1 commit into master from snyk-fix-4f53288b7cf4722bda06701ae909f12c

snyk-bot commented Jan 17, 2022

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-ENGINEIO-1056749	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Insecure Defaults SNYK-JS-SOCKETIO-1024859	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	No	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Arbitrary Code Injection SNYK-JS-XMLHTTPREQUESTSSL-1082936	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Access Restriction Bypass SNYK-JS-XMLHTTPREQUESTSSL-1255647	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: socket.io

The new version differs by 73 commits.

1af3267 chore(release): 3.0.0
02951c4 chore(release): 3.0.0-rc4
54bf4a4 feat: emit an Error object upon middleware error
aa7574f feat: serve msgpack bundle
64056d6 docs(examples): update TypeScript example
cacad70 chore(release): 3.0.0-rc3
d16c035 refactor: rename ERROR to CONNECT_ERROR
5c73733 feat: add support for catch-all listeners
129c641 feat: make Socket#join() and Socket#leave() synchronous
0d74f29 refactor(typings): export Socket class
7603da7 feat: remove prod dependency to socket.io-client
a81b9f3 docs(examples): add example with TypeScript
20ea6bd docs(examples): add example with ES modules
0ce5b4c chore(release): 3.0.0-rc2
8a5db7f refactor: remove duplicate _sockets map
2a05042 refactor: add additional typings
91cd255 fix: close clients with no namespace
58b66f8 refactor: hide internal methods and properties
669592d feat: move binary detection back to the parser
2d2a31e chore: publish the wrapper.mjs file
ebb0575 chore(release): 3.0.0-rc1
c0d171f test: use the reconnect event of the Manager
9c7a48d test: use the complete export name
4bd5b23 feat: throw upon reserved event names

See the full diff

Package name: socket.io-client

The new version differs by 25 commits.

de2ccff chore(release): 2.4.0
e9dd12a chore: bump engine.io-client version
7248c1e ci: migrate to GitHub Actions
4631ed6 chore(release): 2.3.1
7f73a28 test: fix tests in IE
67c54b8 chore: bump engine.io-parser and socket.io-parser
15a52ab test: remove arrow function (for now)
050108b fix: fix reconnection after opening socket asynchronously (#1253)
b570025 chore: bump engine.io-client and downgrade debug
1fb1b78 chore: remove unused dependencies
0c39f14 docs: add section about Debug / logging on the client side (#1278)
6ce02ee docs: add server port in the example (#1359)
f4a4d89 chore: update package-lock.json file
3c1d860 chore: bump component-emitter dependency (#1376)
b7dbbd2 test: fix race condition in the tests
661f1e7 [chore] Release 2.3.0
71d7b79 [chore] Bump engine.io-client to version 3.4.0
8b4a539 [docs] Add CDN link (#1318)
40cf185 [ci] use Node.js 10 for compatibility with Gulp v3
3020e45 [chore] Release 2.2.0
06e9a4c [chore] Bump dependencies
4a93871 [chore] Update the Makefile
eeafa44 [fix] Remove any reference to the `global` variable
dfc34e4 [chore] Pin zuul version

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


          fix: package.json & package-lock.json to reduce vulnerabilities

56d7ad6

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ENGINEIO-1056749
- https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859
- https://snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-1056752
- https://snyk.io/vuln/SNYK-JS-WS-1296835
- https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936
- https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1255647

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet