Update dependency socket.io to ~2.4.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
socket.io	~2.0.0 -> ~2.4.0

GitHub Vulnerability Alerts

CVE-2020-28481

The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.

---

Release Notes

socketio/socket.io

v2.4.0

Compare Source

Related blog post: https://socket.io/blog/socket-io-2-4-0/

Features (from Engine.IO)

• add support for all cookie options (19cc582)
• disable perMessageDeflate by default (5ad2736)

Bug Fixes

• security: do not allow all origins by default (f78a575)
• properly overwrite the query sent in the handshake (d33a619)

⚠️ BREAKING CHANGE ⚠️

Previously, CORS was enabled by default, which meant that a Socket.IO server sent the necessary CORS headers (Access-Control-Allow-xxx) to any domain. This will not be the case anymore, and you now have to explicitly enable it.

Please note that you are not impacted if:

• you are using Socket.IO v2 and the origins option to restrict the list of allowed domains
• you are using Socket.IO v3 (disabled by default)

This commit also removes the support for '*' matchers and protocol-less URL:

io.origins('https://example.com:443'); => io.origins(['https://example.com']);
io.origins('localhost:3000');          => io.origins(['http://localhost:3000']);
io.origins('http://localhost:*');      => io.origins(['http://localhost:3000']);
io.origins('*:3000');                  => io.origins(['http://localhost:3000']);

To restore the previous behavior (please use with caution):

io.origins((_, callback) => {
  callback(null, true);
});

See also:

• https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
• https://socket.io/docs/v3/handling-cors/
• https://socket.io/docs/v3/migrating-from-2-x-to-3-0/#CORS-handling

Thanks a lot to @​ni8walk3r for the security report.

Links:

• Milestone: 2.4.0
• Diff: socketio/socket.io@2.3.0...2.4.0
• Client release: 2.4.0
• engine.io version: ~3.5.0
• ws version: ~7.4.2

v2.3.0

Compare Source

This release mainly contains a bump of the engine.io and ws packages, but no additional features.

Links:

• Milestone: 2.3.0
• Diff: socketio/socket.io@2.2.0...2.3.0
• Client release: 2.3.0
• engine.io version: ~3.4.0 (diff: socketio/engine.io@3.3.1...3.4.2)
• ws version: ^7.1.2 (diff: websockets/ws@6.1.2...7.3.1)

v2.2.0

Compare Source

Features

• add cache-control header when serving the client source (#​2907)

Bug fixes

• throw an error when trying to access the clients of a dynamic namespace (#​3355)

Links

• Milestone: 2.2.0
• Diff: socketio/socket.io@2.1.1...2.2.0
• Client release: 2.2.0
• engine.io version: ~3.3.1 (diff: socketio/engine.io@3.2.0...3.3.1)
• ws version: ~6.1.0 (diff: websockets/ws@3.3.1...6.1.2)

v2.1.1

Compare Source

Features

• add local flag to the socket object (add local flag to the socket object socketio/socket.io#3219)

socket.local.to('room101').emit(/* */);

Bug fixes

(client) fire an error event on middleware failure for non-root namespace (socketio/socket.io-client#1202)

Links:

• Milestone: 2.1.1
• Diff: socketio/socket.io@2.1.0...2.1.1
• Client release: 2.1.1
• engine.io version: ~3.2.0
• ws version: ~3.3.1

v2.1.0

Compare Source

Features

• add a 'binary' flag (#​3185)

// by default, the object is recursively scanned to check whether it contains some binary data
// in the following example, the check is skipped in order to improve performance
socket.binary(false).emit('plain-object', object);

// it also works at the namespace level
io.binary(false).emit('plain-object', object);

• add support for dynamic namespaces (#​3195)

io.of(/^\/dynamic-\d+$/).on('connect', (socket) => {
  // socket.nsp.name = '/dynamic-101'
});

// client-side
const client = require('socket.io-client')('/dynamic-101');

Bug fixes

• properly emit 'connect' when using a custom namespace (#​3197)
• include the protocol in the origins check (#​3198)

Important note ⚠️ from Engine.IO 3.2.0 release

There are two non-breaking changes that are somehow quite important:

• ws was reverted as the default wsEngine ([chore] Revert to ws as default wsEngine socketio/engine.io#550), as there was several blocking issues with uws. You can still use uws by running npm install uws --save in your project and using the wsEngine option:

var engine = require('engine.io');
var server = engine.listen(3000, {
  wsEngine: 'uws'
});

• pingTimeout now defaults to 5 seconds (instead of 60 seconds): [chore] Update default value of pingTimeout socketio/engine.io#551

Links:

• Milestone: 2.1.0
• Diff: socketio/socket.io@2.0.4...2.1.0
• Client release: 2.1.0
• engine.io version: ~3.2.0 (diff: socketio/engine.io@3.1.0...3.2.0)
• ws version: ~3.3.1 (diff: websockets/ws@2.3.1...3.3.1)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by Mend Renovate. View repository job log here.