[Snyk] Security upgrade engine.io from 1.4.0 to 3.1.0 #3

iamstarkdev · 2022-05-17T06:58:26Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: engine.io

The new version differs by 250 commits.

935b155 [chore] Release 3.1.0
82ed65f [test] Add test for maxHttpBufferSize option with websocket (Redis store connection settings socketio/socket.io#499)
519fb8d [chore] Bump uws to version 0.14.4 (Fixes issue commented on in #377 socketio/socket.io#501)
7edb34e [chore] Bump dependencies (Clarification of reconnect semantics socketio/socket.io#500)
07d57d5 [chore] Release 3.0.0
fb7e2be [chore] Bump dependencies (Proposal to allow clients to specify a sessionid when connecting. (bug 497) socketio/socket.io#498)
57b7e5b [chore] Bump uws to version 0.14.1 (Allow clients to specify a sessionid when connecting. socketio/socket.io#497)
ec5d208 [chore] Merge 2.1.x branch (Closing a server takes 25 seconds to clean up socketio/socket.io#494)
120611f [chore] Bump ws to version 2.2.0 (TypeError: 'c' is not a constructor in Opera socketio/socket.io#487)
b436ca3 [chore] Drop support for old nodejs versions (0.10 & 0.12) (Honor maximum websocket frame length socketio/socket.io#493)
783e059 [chore] Release 2.1.0 (transport-name wrong for flashsocket connections socketio/socket.io#492)
81ef0bc [feat] Add an option to toggle handling of OPTIONS requests (setting Socket.IO to log: false causes total failure in Manager.js socketio/socket.io#491)
0946596 [chore] Bump engine.io-parser to version 2.0.1 (Flashsocket fallback fails since 0.8.0 socketio/socket.io#490)
b723cae [chore] Bump uws to version 0.13.0 (Object doesn't support property or method 'packet' socketio/socket.io#489)
bd1e81e [chore] Release 2.0.2 (Added http referrer verification to manager.js verifyOrigin socketio/socket.io#481)
01e36b4 [chore] Bump ws to version 1.1.2 (vulnerability fix) (Socket.IO appears to stop responding. socketio/socket.io#480)
0cbf363 [chore] Release 2.0.1 (Add checklist based input to guide the user through what to fill out for daily report. socketio/socket.io#477)
cdb487d [fix] Initialize the WebSocket server in the `Server` constructor (Uncaught, unspecified 'error' event. socketio/socket.io#476)
9b4e983 [chore] Release 2.0.0 (Prevent heartbeat disconnection when browser is blocking (alert, Flash File Browser, etc.) socketio/socket.io#472)
274efa1 [feature] Add an `initialPacket` option (socket io crash socketio/socket.io#471)
a3496ed [fix] Discard packets when socket is closed (How to close server debug partten? socketio/socket.io#469)
57ec952 [docs] Fix spelling mistake (Added http referrer verification to manager.js verifyOrigin socketio/socket.io#466)
bbffbd5 [chore] Bump engine.io-parser to version 2.0.0 (Count of connected clients/sockets socketio/socket.io#463)
f72f6f3 [fix] `allowRequest` failures now return 403 Forbidden (Can i simulate a browser client on node server socketio/socket.io#452)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/npm:ms:20170412

fix: package.json to reduce vulnerabilities

d57f7c2

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/npm:ms:20170412

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Security upgrade engine.io from 1.4.0 to 3.1.0 #3

[Snyk] Security upgrade engine.io from 1.4.0 to 3.1.0 #3

iamstarkdev commented May 17, 2022

[Snyk] Security upgrade engine.io from 1.4.0 to 3.1.0 #3

Are you sure you want to change the base?

[Snyk] Security upgrade engine.io from 1.4.0 to 3.1.0 #3

Conversation

iamstarkdev commented May 17, 2022

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade: