chore(deps): update dependency socket.io-parser to 4.2.1 [security] - abandoned

[renovate]

This PR contains the following updates:

Package	Change
socket.io-parser	4.0.4 -> 4.0.5
socket.io-parser	4.2.0 -> 4.2.1

GitHub Vulnerability Alerts

CVE-2022-2421

Due to improper type validation in the socket.io-parser library (which is used by the socket.io and socket.io-client packages to encode and decode Socket.IO packets), it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.

Example:

const decoder = new Decoder();

decoder.on("decoded", (packet) => {
 console.log(packet.data); // prints [ 'hello', [Function: splice] ]
})

decoder.add('51-["hello",{"_placeholder":true,"num":"splice"}]');
decoder.add(Buffer.from("world"));

This bubbles up in the socket.io package:

io.on("connection", (socket) => {
 socket.on("hello", (val) => {
 // here, "val" could be a function instead of a buffer
 });
});

⚠️ IMPORTANT NOTE ⚠️

You need to make sure that the payload that you received from the client is actually a Buffer object:

io.on("connection", (socket) => {
 socket.on("hello", (val) => {
 if (!Buffer.isBuffer(val)) {
 socket.disconnect();
 return;
 }
 // ...
 });
});

If that's already the case, then you are not impacted by this issue, and there is no way an attacker could make your server crash (or escalate privileges, ...).

Example of values that could be sent by a malicious user:

• a number that is out of bounds

Sample packet: 451-["hello",{"_placeholder":true,"num":10}]

io.on("connection", (socket) => {
 socket.on("hello", (val) => {
 // val is `undefined`
 });
});

• a value that is not a number, like undefined

Sample packet: 451-["hello",{"_placeholder":true,"num":undefined}]

io.on("connection", (socket) => {
 socket.on("hello", (val) => {
 // val is `undefined`
 });
});

• a string that is part of the prototype of Array, like "push"

Sample packet: 451-["hello",{"_placeholder":true,"num":"push"}]

io.on("connection", (socket) => {
 socket.on("hello", (val) => {
 // val is a reference to the "push" function
 });
});

• a string that is part of the prototype of Object, like "hasOwnProperty"

Sample packet: 451-["hello",{"_placeholder":true,"num":"hasOwnProperty"}]

io.on("connection", (socket) => {
 socket.on("hello", (val) => {
 // val is a reference to the "hasOwnProperty" function
 });
});

This should be fixed by:

• socketio/socket.io-parser@b5d0cb7, included in socket.io-parser@4.2.1
• socketio/socket.io-parser@b559f05, included in socket.io-parser@4.0.5
• socketio/socket.io-parser@04d23ce, included in socket.io-parser@3.4.2
• socketio/socket.io-parser@fb21e42, included in socket.io-parser@3.3.3

Dependency analysis for the socket.io package

socket.io version	socket.io-parser version	Covered?
4.5.2...latest	~4.2.0 (ref)	Yes ✔️
4.1.3...4.5.1	~4.0.4 (ref)	Yes ✔️
3.0.5...4.1.2	~4.0.3 (ref)	Yes ✔️
3.0.0...3.0.4	~4.0.1 (ref)	Yes ✔️
2.3.0...2.5.0	~3.4.0 (ref)	Yes ✔️

Dependency analysis for the socket.io-client package

socket.io-client version	socket.io-parser version	Covered?
4.5.0...latest	~4.2.0 (ref)	Yes ✔️
4.3.0...4.4.1	~4.1.1 (ref)	No, but the impact is very limited
3.1.0...4.2.0	~4.0.4 (ref)	Yes ✔️
3.0.5	~4.0.3 (ref)	Yes ✔️
3.0.0...3.0.4	~4.0.1 (ref)	Yes ✔️
2.2.0...2.5.0	~3.3.0 (ref)	Yes ✔️

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Renovate will not automatically rebase this PR, because other commits have been found.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[github-actions]

Images automagically compressed by Calibre's image-actions ✨

Compression reduced images by 29.2%, saving 90.42 KB.

Filename	Before	After	Improvement	Visual comparison
template/public/img/uploads/banner2.webp	36.67 KB	33.43 KB	-8.8%	View diff
template/public/img/uploads/confira-nossas-promocoes.jpg	52.80 KB	42.37 KB	-19.8%	View diff
template/public/img/uploads/gloss-luxe-semi-definitiva.jpg	159.85 KB	85.36 KB	-46.6%	View diff
template/public/img/uploads/keratin-selagem.jpeg	51.58 KB	49.61 KB	-3.8%	View diff
template/public/img/uploads/rect89.webp	8.73 KB	8.44 KB	-3.3%	View diff

33 images did not require optimisation.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.

[renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.