Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[Snyk] Security upgrade socket.io from 1.3.7 to 2.5.0 #9

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Security upgrade socket.io from 1.3.7 to 2.5.0 #9

wants to merge 1 commit into from

Conversation

snyk-bot
Copy link

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • slides/plugin/multiplex/package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 661/1000
Why? Recently disclosed, Has a fix available, CVSS 7.5		 Denial of Service (DoS)
SNYK-JS-ENGINEIO-3136336		 Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: socket.io The new version differs by 250 commits.
  • baa6804 chore(release): 2.5.0
  • f223178 fix: prevent the socket from joining a room after disconnection
  • 226cc16 fix: only set 'connected' to true after middleware execution
  • 05e1278 fix: fix race condition in dynamic namespaces
  • 22d4bdf fix: ignore packet received after disconnection
  • dfded53 chore: update engine.io version to 3.6.0
  • e6b8697 chore(release): 2.4.1
  • a169050 revert: fix(security): do not allow all origins by default
  • 873fdc5 chore(release): 2.4.0
  • f78a575 fix(security): do not allow all origins by default
  • d33a619 fix: properly overwrite the query sent in the handshake
  • 3951a79 chore: bump engine.io version
  • 6fa026f ci: migrate to GitHub Actions
  • 47161a6 [chore] Release 2.3.0
  • cf39362 [chore] Bump socket.io-parser to version 3.4.0
  • 4d01b2c test: remove deprecated Buffer usage (#3481)
  • 8227192 [docs] Fix the default value of the 'origins' parameter (#3464)
  • 1150eb5 [chore] Bump engine.io to version 3.4.0
  • 9c1e73c [chore] Update the license of the chat example (#3410)
  • df05b73 [chore] Release 2.2.0
  • b00ae50 [feat] Add cache-control header when serving the client source (#2907)
  • d3c653d [docs] Add Touch Support to the whiteboard example (#3104)
  • a7fbd1a [fix] Throw an error when trying to access the clients of a dynamic namespace (#3355)
  • 190d22b [chore] Bump dependencies

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS)

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@snyk-bot