Skip to content
This repository has been archived by the owner on Jan 26, 2023. It is now read-only.

fix(deps): update dependency socket.io to v2 [security] #34

Open
wants to merge 1 commit into
base: gh-pages
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jan 23, 2021

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
socket.io ~1.0.1 -> ~2.4.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2020-28481

The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.


Release Notes

socketio/socket.io

v2.4.0

Compare Source

Bug Fixes
  • security: do not allow all origins by default (f78a575)
  • properly overwrite the query sent in the handshake (d33a619)

3.0.4 (2020-12-07)

3.0.3 (2020-11-19)

3.0.2 (2020-11-17)

Bug Fixes
  • merge Engine.IO options (43705d7)

3.0.1 (2020-11-09)

Bug Fixes
  • export ServerOptions and Namespace types (#​3684) (f62f180)
  • typings: update the signature of the emit method (50671d9)

v2.3.0

Compare Source

This release mainly contains a bump of the engine.io and ws packages, but no additional features.

v2.2.0

Compare Source

Features
  • add cache-control header when serving the client source (#​2907) (b00ae50)
Bug fixes
  • throw an error when trying to access the clients of a dynamic namespace (#​3355) (a7fbd1a)

v2.1.1

Compare Source

Features
socket.local.to('room101').emit(/* */);

v2.1.0

Compare Source

Features
// by default, the object is recursively scanned to check whether it contains some binary data
// in the following example, the check is skipped in order to improve performance
socket.binary(false).emit('plain-object', object);

// it also works at the namespace level
io.binary(false).emit('plain-object', object);
io.of(/^\/dynamic-\d+$/).on('connect', (socket) => {
  // socket.nsp.name = '/dynamic-101'
});

// client-side
const client = require('socket.io-client')('/dynamic-101');
Bug fixes
Important note ⚠️ from Engine.IO 3.2.0 release

There are two non-breaking changes that are somehow quite important:

var engine = require('engine.io');
var server = engine.listen(3000, {
  wsEngine: 'uws'
});

v2.0.4

Compare Source

Bug fixes

  • do not throw when receiving an unhandled error packet (#​3038)
  • reset rooms object before broadcasting from namespace (#​3039)
Links:

v2.0.3

Compare Source

Bug fixes

  • reset rooms object before broadcasting (#​2970)
  • fix middleware initialization (#​2969)
Links:

v2.0.2

Compare Source

Bug fixes

  • fix timing issues with middleware (#​2948)
Links:

v2.0.1

Compare Source

Bug fixes

- update path of client file (#​2934)

Links:

v2.0.0

Compare Source

This major release brings several performance improvements:

  • uws is now the default Websocket engine. It should bring significant improvement in performance (particularly in terms of memory consumption) (https://github.com/socketio/engine.io/releases/tag/2.0.0)

  • the Engine.IO and Socket.IO handshake packets were merged, reducing the number of roundtrips necessary to establish a connection. (#​2833)

  • it is now possible to provide a custom parser according to the needs of your application (#​2829). Please take a look at the example for more information.

Please note that this release is not backward-compatible, due to:

Please also note that if you are using a self-signed certificate, rejectUnauthorized now defaults to true (https://github.com/socketio/engine.io-client/pull/558).

Finally, the API documentation is now in the repository (here), and the content of the website here. Do not hesitate if you see something wrong or missing!

The full list of changes:

Besides, we are proud to announce that Socket.IO is now a part of open collective: https://opencollective.com/socketio. More on that later.

v1.7.4

Compare Source

  • [chore] Bump engine.io to version 1.8.4

v1.7.3

Compare Source

  • [chore] Bump engine.io-client to version 1.8.3

v1.7.2

Compare Source

  • [chore] Bump engine.io to version 1.8.2 (#​2782)
  • [fix] Fixes socket.use error packet (#​2772)

v1.7.1

Compare Source

(following socket.io-client update)

v1.7.0

Compare Source

  • [docs] Comment connected socket availability for adapters (#​2081)
  • [docs] Fixed grammar issues in the README.md (#​2159)
  • [feature] serve sourcemap for socket.io-client (#​2482)
  • [feature] Add a local flag (#​2628)
  • [chore] Bump engine.io to version 1.8.1 (#​2765)
  • [chore] Update client location and serve minified file (#​2766)

v1.6.0

Compare Source

  • [fix] Make ETag header comply with standard. (#​2603)
  • [feature] Loading client script on demand. (#​2567)
  • [test] Fix leaking clientSocket (#​2721)
  • [feature] Add support for all event emitter methods (#​2601)
  • [chore] Update year to 2016 (#​2456)
  • [feature] Add support for socket middleware (#​2306)
  • [feature] add support for Server#close(callback) (#​2748)
  • [fix] Don't drop query variables on handshake (#​2745)
  • [example] Add disconnection/reconnection logs to the chat example (#​2675)
  • [perf] Minor code optimizations (#​2219)
  • [chore] Bump debug to version 2.3.3 (#​2754)
  • [chore] Bump engine.io to version 1.8.0 (#​2755)
  • [chore] Bump socket.io-adapter to version 0.5.0 (#​2756)

v1.5.1

Compare Source

  • [fix] Avoid swallowing exceptions thrown by user event handlers (#​2682)
  • [test] Use client function to unify client in test script (#​2731)
  • [docs] Add link to LICENSE (#​2221)
  • [docs] Fix JSDoc of optional parameters (#​2465)
  • [docs] Fix typo (#​2724)
  • [docs] Link readme npm package badge to npm registry page (#​2612)
  • [docs] Minor fixes (#​2526)
  • [chore] Bump socket.io-parser to 2.3.0 (#​2730)
  • [chore] Add Github issue and PR templates (#​2733)
  • [chore] Bump engine.io to 1.7.2 (#​2729)
  • [chore] Bump socket.io-parser to 2.3.1 (#​2734)

v1.5.0

Compare Source

  • [feature] stop append /# before id when no namespace (#​2509)
  • [feature] Add a 'disconnecting' event to access to socket.rooms upon disconnection (#​2332)
  • [fix] Fix query string management (#​2422)
  • [fix] add quote to exec paths, prevent error when spaces in path (#​2508)
  • [docs] Prevent mixup for new programmers (#​2599)
  • [example] Fix chat display in Firefox (#​2477)
  • [chore] Add gulp & babel in the build process (#​2471)
  • [chore] Bump engine.io to 1.7.0 (#​2707)
  • [chore] Remove unused zuul-ngrok dependency (#​2708)
  • [chore] Point towards current master of socket.io-client (#​2710)
  • [chore] Restrict files included in npm package (#​2709)
  • [chore] Link build badge to master branch (#​2549)

v1.4.8

Compare Source

v1.4.7

Compare Source

v1.4.6

Compare Source

v1.4.5

Compare Source

v1.4.4

Compare Source

v1.4.3

Compare Source

v1.4.2

Compare Source

v1.4.1

Compare Source

v1.4.0

Compare Source

v1.3.7

Compare Source

v1.3.6

Compare Source

v1.3.5

Compare Source

v1.3.4

Compare Source

v1.3.3

Compare Source

v1.3.2

Compare Source

v1.3.1

Compare Source

v1.3.0

Compare Source

v1.2.1

Compare Source

v1.2.0

Compare Source

v1.1.0

Compare Source


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from a197432 to 9480a9c Compare April 26, 2021 14:46
@renovate renovate bot changed the title Update dependency socket.io to v3 [SECURITY] Update dependency socket.io to v4 [SECURITY] Apr 26, 2021
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 9480a9c to dca1759 Compare May 15, 2021 19:54
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from dca1759 to af2e464 Compare October 18, 2021 16:48
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from af2e464 to 33f00eb Compare March 7, 2022 16:00
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 33f00eb to bd17b8f Compare April 24, 2022 18:00
@renovate renovate bot changed the title Update dependency socket.io to v4 [SECURITY] fix(deps): update dependency socket.io to ~1.7.0 [security] Sep 25, 2022
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch 2 times, most recently from 48c0f5b to c1fd3de Compare September 26, 2022 02:09
@renovate renovate bot changed the title fix(deps): update dependency socket.io to ~1.7.0 [security] fix(deps): update dependency socket.io to v2 [security] Sep 26, 2022
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from c1fd3de to 18ad72c Compare September 27, 2022 06:05
@renovate renovate bot changed the title fix(deps): update dependency socket.io to v2 [security] fix(deps): update dependency socket.io to ~1.7.0 [security] Sep 27, 2022
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 18ad72c to 61d1688 Compare September 28, 2022 07:11
@renovate renovate bot changed the title fix(deps): update dependency socket.io to ~1.7.0 [security] fix(deps): update dependency socket.io to v2 [security] Sep 28, 2022
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 61d1688 to c45025b Compare October 2, 2022 12:27
@renovate renovate bot changed the title fix(deps): update dependency socket.io to v2 [security] fix(deps): update dependency socket.io to ~1.7.0 [security] Oct 2, 2022
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from c45025b to 07b3e09 Compare October 2, 2022 16:02
@renovate renovate bot changed the title fix(deps): update dependency socket.io to ~1.7.0 [security] fix(deps): update dependency socket.io to v2 [security] Oct 2, 2022
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 07b3e09 to 979ad3a Compare October 5, 2022 04:11
@renovate renovate bot changed the title fix(deps): update dependency socket.io to v2 [security] fix(deps): update dependency socket.io to ~1.7.0 [security] Oct 5, 2022
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 979ad3a to 09e8623 Compare October 5, 2022 06:18
@renovate renovate bot changed the title fix(deps): update dependency socket.io to ~1.7.0 [security] fix(deps): update dependency socket.io to v2 [security] Oct 5, 2022
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 09e8623 to 645e31a Compare October 5, 2022 16:03
@renovate renovate bot changed the title fix(deps): update dependency socket.io to v2 [security] fix(deps): update dependency socket.io to ~1.7.0 [security] Oct 5, 2022
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 645e31a to b6a1d4f Compare October 5, 2022 19:35
@renovate renovate bot changed the title fix(deps): update dependency socket.io to ~1.7.0 [security] fix(deps): update dependency socket.io to v2 [security] Oct 5, 2022
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from b6a1d4f to e7c214e Compare October 6, 2022 09:08
@renovate renovate bot changed the title fix(deps): update dependency socket.io to v2 [security] fix(deps): update dependency socket.io to ~1.7.0 [security] Oct 6, 2022
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from e7c214e to 820b51b Compare October 6, 2022 11:38
@renovate renovate bot changed the title fix(deps): update dependency socket.io to ~1.7.0 [security] fix(deps): update dependency socket.io to v2 [security] Oct 6, 2022
@renovate renovate bot changed the title fix(deps): update dependency socket.io to v2 [security] fix(deps): update dependency socket.io to ~1.7.0 [security] Dec 10, 2022
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 134e381 to 7dbd333 Compare December 10, 2022 10:18
@renovate renovate bot changed the title fix(deps): update dependency socket.io to ~1.7.0 [security] fix(deps): update dependency socket.io to v2 [security] Dec 10, 2022
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 7dbd333 to 31b368b Compare December 11, 2022 14:19
@renovate renovate bot changed the title fix(deps): update dependency socket.io to v2 [security] fix(deps): update dependency socket.io to ~1.7.0 [security] Dec 11, 2022
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 31b368b to 0bf9ce0 Compare December 11, 2022 19:16
@renovate renovate bot changed the title fix(deps): update dependency socket.io to ~1.7.0 [security] fix(deps): update dependency socket.io to v2 [security] Dec 11, 2022
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 0bf9ce0 to 68eba71 Compare December 17, 2022 07:51
@renovate renovate bot changed the title fix(deps): update dependency socket.io to v2 [security] fix(deps): update dependency socket.io to ~1.7.0 [security] Dec 17, 2022
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 68eba71 to 2c51594 Compare December 17, 2022 10:00
@renovate renovate bot changed the title fix(deps): update dependency socket.io to ~1.7.0 [security] fix(deps): update dependency socket.io to v2 [security] Dec 17, 2022
@renovate renovate bot changed the title fix(deps): update dependency socket.io to v2 [security] Update dependency socket.io to v2 [SECURITY] Dec 17, 2022
@renovate renovate bot changed the title Update dependency socket.io to v2 [SECURITY] fix(deps): update dependency socket.io to v2 [security] Dec 17, 2022
@renovate renovate bot changed the title fix(deps): update dependency socket.io to v2 [security] fix(deps): update dependency socket.io to v2 [security] - autoclosed Dec 20, 2022
@renovate renovate bot closed this Dec 20, 2022
@renovate renovate bot deleted the renovate/npm-socket.io-vulnerability branch December 20, 2022 02:33
@renovate renovate bot changed the title fix(deps): update dependency socket.io to v2 [security] - autoclosed fix(deps): update dependency socket.io to v2 [security] Dec 20, 2022
@renovate renovate bot reopened this Dec 20, 2022
@renovate renovate bot restored the renovate/npm-socket.io-vulnerability branch December 20, 2022 05:54
@renovate renovate bot changed the title fix(deps): update dependency socket.io to v2 [security] fix(deps): update dependency socket.io to v2 [security] - autoclosed Dec 29, 2022
@renovate renovate bot closed this Dec 29, 2022
@renovate renovate bot deleted the renovate/npm-socket.io-vulnerability branch December 29, 2022 03:02
@renovate renovate bot changed the title fix(deps): update dependency socket.io to v2 [security] - autoclosed fix(deps): update dependency socket.io to v2 [security] Dec 29, 2022
@renovate renovate bot reopened this Dec 29, 2022
@renovate renovate bot restored the renovate/npm-socket.io-vulnerability branch December 29, 2022 05:24
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 2c51594 to e19fa05 Compare January 6, 2023 12:30
@renovate renovate bot changed the title fix(deps): update dependency socket.io to v2 [security] fix(deps): update dependency socket.io to ~1.7.0 [security] Jan 6, 2023
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from e19fa05 to fdd4d80 Compare January 6, 2023 15:35
@renovate renovate bot changed the title fix(deps): update dependency socket.io to ~1.7.0 [security] fix(deps): update dependency socket.io to v2 [security] Jan 6, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants