[Snyk] Security upgrade socket.io-client from 1.7.2 to 2.4.0

[geva]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	Yes	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Improper Input Validation SNYK-JS-SOCKETIOPARSER-3091012	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Arbitrary Code Injection SNYK-JS-XMLHTTPREQUESTSSL-1082936	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Access Restriction Bypass SNYK-JS-XMLHTTPREQUESTSSL-1255647	No	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:parsejson:20170908	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Insecure Randomness npm:ws:20160920	No	No Known Exploit
	761/1000 Why? Mature exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:ws:20171108	No	Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: socket.io-client

The new version differs by 72 commits.

• de2ccff chore(release): 2.4.0
• e9dd12a chore: bump engine.io-client version
• 7248c1e ci: migrate to GitHub Actions
• 4631ed6 chore(release): 2.3.1
• 7f73a28 test: fix tests in IE
• 67c54b8 chore: bump engine.io-parser and socket.io-parser
• 15a52ab test: remove arrow function (for now)
• 050108b fix: fix reconnection after opening socket asynchronously (Socket.io, https, and express continuous connect/disconnect loop socketio/socket.io#1253)
• b570025 chore: bump engine.io-client and downgrade debug
• 1fb1b78 chore: remove unused dependencies
• 0c39f14 docs: add section about Debug / logging on the client side (loop in client can force stack overflow in server socketio/socket.io#1278)
• 6ce02ee docs: add server port in the example (multiple certificate socketio/socket.io#1359)
• f4a4d89 chore: update package-lock.json file
• 3c1d860 chore: bump component-emitter dependency (handshakeData.address is undefined, "version": "0.9.16" socketio/socket.io#1376)
• b7dbbd2 test: fix race condition in the tests
• 661f1e7 [chore] Release 2.3.0
• 71d7b79 [chore] Bump engine.io-client to version 3.4.0
• 8b4a539 [docs] Add CDN link (Some real documentation socketio/socket.io#1318)
• 40cf185 [ci] use Node.js 10 for compatibility with Gulp v3
• 3020e45 [chore] Release 2.2.0
• 06e9a4c [chore] Bump dependencies
• 4a93871 [chore] Update the Makefile
• eeafa44 [fix] Remove any reference to the `global` variable
• dfc34e4 [chore] Pin zuul version

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS)
🦉 Improper Input Validation
🦉 Insecure Randomness
🦉 More lessons are available in Snyk Learn