Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency socket.io to v4 [SECURITY] - autoclosed #751

Closed
wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 10, 2021

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
socket.io ^1.7.4 -> ^4.4.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2020-28481

The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.


Release Notes

socketio/socket.io

v4.4.1

Compare Source

Bug Fixes

v4.4.0

Compare Source

Bug Fixes
  • only set 'connected' to true after middleware execution (02b0f73)
Features

4.3.2 (2021-11-08)

Bug Fixes

4.3.1 (2021-10-16)

Bug Fixes

v4.3.2

Compare Source

Bug Fixes

v4.3.1

Compare Source

Bug Fixes

v4.3.0

Compare Source

Bug Fixes
  • typings: add name field to cookie option (#​4099) (033c5d3)
  • send volatile packets with binary attachments (dc81fcf)
Features

v4.2.0

Compare Source

Bug Fixes
  • typings: allow async listener in typed events (ccfd8ca)
Features
  • ignore the query string when serving client JavaScript (#​4024) (24fee27)

4.1.3 (2021-07-10)

Bug Fixes
  • fix io.except() method (94e27cd)
  • remove x-sourcemap header (a4dffc6)

4.1.2 (2021-05-17)

Bug Fixes
  • typings: ensure compatibility with TypeScript 3.x (0cb6ac9)
  • ensure compatibility with previous versions of the adapter (a2cf248)

4.1.1 (2021-05-11)

Bug Fixes
  • typings: properly type server-side events (b84ed1e)
  • typings: properly type the adapter attribute (891b187)

v4.1.3

Compare Source

Bug Fixes
  • fix io.except() method (94e27cd)
  • remove x-sourcemap header (a4dffc6)

v4.1.2

Compare Source

Bug Fixes
  • typings: ensure compatibility with TypeScript 3.x (0cb6ac9)
  • ensure compatibility with previous versions of the adapter (a2cf248)

v4.1.1

Compare Source

Bug Fixes
  • typings: properly type server-side events (b84ed1e)
  • typings: properly type the adapter attribute (891b187)

v4.1.0

Compare Source

Features
  • add support for inter-server communication (93cce05)
  • notify upon namespace creation (499c892)
  • add a "connection_error" event (7096e98, from engine.io)
  • add the "initial_headers" and "headers" events (2527543, from engine.io)
Performance Improvements
  • add support for the "wsPreEncoded" writing option (dc381b7)

4.0.2 (2021-05-06)

Bug Fixes
  • typings: make "engine" attribute public (b81ce4c)
  • properly export the Socket class (d65b6ee)

4.0.1 (2021-03-31)

Bug Fixes

v4.0.2

Compare Source

Bug Fixes
  • typings: make "engine" attribute public (b81ce4c)
  • properly export the Socket class (d65b6ee)

v4.0.1

Compare Source

Bug Fixes

v4.0.0

Compare Source

Bug Fixes
  • make io.to(...) immutable (ac9e8ca)
Features

3.1.2 (2021-02-26)

Bug Fixes
  • ignore packets received after disconnection (494c64e)

3.1.1 (2021-02-03)

Bug Fixes
  • properly parse the CONNECT packet in v2 compatibility mode (6f4bd7f)
  • typings: add return types and general-case overload signatures (#​3776) (9e8f288)
  • typings: update the types of "query", "auth" and "headers" (4f2e9a7)

v3.1.2

Compare Source

Bug Fixes
  • ignore packets received after disconnection (494c64e)

v3.1.1

Compare Source

Bug Fixes
  • properly parse the CONNECT packet in v2 compatibility mode (6f4bd7f)
  • typings: add return types and general-case overload signatures (#​3776) (9e8f288)
  • typings: update the types of "query", "auth" and "headers" (4f2e9a7)

v3.1.0

Compare Source

Features
Bug Fixes
  • allow integers as event names (1c220dd)

3.0.5 (2021-01-05)

Bug Fixes
  • properly clear timeout on connection failure (170b739)
Reverts
  • restore the socket middleware functionality (bf54327)

3.0.4 (2020-12-07)

3.0.3 (2020-11-19)

3.0.2 (2020-11-17)

Bug Fixes
  • merge Engine.IO options (43705d7)

3.0.1 (2020-11-09)

Bug Fixes
  • export ServerOptions and Namespace types (#​3684) (f62f180)
  • typings: update the signature of the emit method (50671d9)

v3.0.5

Compare Source

Bug Fixes
  • properly clear timeout on connection failure (170b739)
Reverts
  • restore the socket middleware functionality (bf54327)

v3.0.4

Compare Source

v3.0.3

Compare Source

v3.0.2

Compare Source

Bug Fixes
  • merge Engine.IO options (43705d7)

v3.0.1

Compare Source

Bug Fixes
  • export ServerOptions and Namespace types (#​3684) (f62f180)
  • typings: update the signature of the emit method (50671d9)

v3.0.0

Compare Source

Bug Fixes
  • close clients with no namespace (91cd255)
Features
  • emit an Error object upon middleware error (54bf4a4)
  • serve msgpack bundle (aa7574f)
  • add support for catch-all listeners (5c73733)
  • make Socket#join() and Socket#leave() synchronous (129c641)
  • remove prod dependency to socket.io-client (7603da7)
  • move binary detection back to the parser (669592d)
  • add ES6 module export (8b6b100)
  • do not reuse the Engine.IO id (2875d2c)
  • remove Server#set() method (029f478)
  • remove Socket#rooms object (1507b41)
  • remove the 'origins' option (a8c0600)
  • remove the implicit connection to the default namespace (3289f7e)
  • throw upon reserved event names (4bd5b23)
BREAKING CHANGES
  • the Socket#use() method is removed (see 5c73733)

  • Socket#join() and Socket#leave() do not accept a callback argument anymore.

Before:

socket.join("room1", () => {
 io.to("room1").emit("hello");
});

After:

socket.join("room1");
io.to("room1").emit("hello");
// or await socket.join("room1"); for custom adapters
  • the "connected" map is renamed to "sockets"
  • the Socket#binary() method is removed, as this use case is now covered by the ability to provide your own parser.
  • the 'origins' option is removed

Before:

new Server(3000, {
  origins: ["https://example.com"]
});

The 'origins' option was used in the allowRequest method, in order to
determine whether the request should pass or not. And the Engine.IO
server would implicitly add the necessary Access-Control-Allow-xxx
headers.

After:

new Server(3000, {
  cors: {
    origin: "https://example.com",
    methods: ["GET", "POST"],
    allowedHeaders: ["content-type"]
  }
});

The already existing 'allowRequest' option can be used for validation:

new Server(3000, {
  allowRequest: (req, callback) => {
    callback(null, req.headers.referer.startsWith("https://example.com"));
  }
});
  • Socket#rooms is now a Set instead of an object

  • Namespace#connected is now a Map instead of an object

  • there is no more implicit connection to the default namespace:

// client-side
const socket = io("/admin");

// server-side
io.on("connect", socket => {
  // not triggered anymore
})

io.use((socket, next) => {
  // not triggered anymore
});

io.of("/admin").use((socket, next) => {
  // triggered
});
  • the Server#set() method was removed

This method was kept for backward-compatibility with pre-1.0 versions.

v2.4.1

Compare Source

This release reverts the breaking change introduced in 2.4.0 (socketio/socket.io@f78a575).

If you are using Socket.IO v2, you should explicitly allow/disallow cross-origin requests:

  • without CORS (server and client are served from the same domain):
const io = require("socket.io")(httpServer, {
  allowRequest: (req, callback) => {
    callback(null, req.headers.origin === undefined); // cross-origin requests will not be allowed
  }
});
  • with CORS (server and client are served from distinct domains):
io.origins(["http://localhost:3000"]); // for local development
io.origins(["https://example.com"]);

In any case, please consider upgrading to Socket.IO v3, where this security issue is now fixed (CORS is disabled by default).

Reverts
  • fix(security): do not allow all origins by default (a169050)
Links:

v2.4.0

Compare Source

Related blog post: https://socket.io/blog/socket-io-2-4-0/

Features (from Engine.IO)
  • add support for all cookie options (19cc582)
  • disable perMessageDeflate by default (5ad2736)
Bug Fixes
  • security: do not allow all origins by default (f78a575)
  • properly overwrite the query sent in the handshake (d33a619)

⚠️ BREAKING CHANGE ⚠️

Previously, CORS was enabled by default, which meant that a Socket.IO server sent the necessary CORS headers (Access-Control-Allow-xxx) to any domain. This will not be the case anymore, and you now have to explicitly enable it.

Please note that you are not impacted if:

  • you are using Socket.IO v2 and the origins option to restrict the list of allowed domains
  • you are using Socket.IO v3 (disabled by default)

This commit also removes the support for '*' matchers and protocol-less URL:

io.origins('https://example.com:443'); => io.origins(['https://example.com']);
io.origins('localhost:3000');          => io.origins(['http://localhost:3000']);
io.origins('http://localhost:*');      => io.origins(['http://localhost:3000']);
io.origins('*:3000');                  => io.origins(['http://localhost:3000']);

To restore the previous behavior (please use with caution):

io.origins((_, callback) => {
  callback(null, true);
});

See also:

Thanks a lot to @​ni8walk3r for the security report.

Links:

v2.3.0

Compare Source

This release mainly contains a bump of the engine.io and ws packages, but no additional features.

Links:

v2.2.0

Compare Source

Features
  • add cache-control header when serving the client source (#​2907)
Bug fixes
  • throw an error when trying to access the clients of a dynamic namespace (#​3355)
Links

v2.1.1

Compare Source

Features
socket.local.to('room101').emit(/* */);
Bug fixes

(client) fire an error event on middleware failure for non-root namespace (socketio/socket.io-client#1202)

Links:

v2.1.0

Compare Source

Features
// by default, the object is recursively scanned to check whether it contains some binary data
// in the following example, the check is skipped in order to improve performance
socket.binary(false).emit('plain-object', object);

// it also works at the namespace level
io.binary(false).emit('plain-object', object);
  • add support for dynamic namespaces (#​3195)
io.of(/^\/dynamic-\d+$/).on('connect', (socket) => {
  // socket.nsp.name = '/dynamic-101'
});

// client-side
const client = require('socket.io-client')('/dynamic-101');
Bug fixes
  • properly emit 'connect' when using a custom namespace (#​3197)
  • include the protocol in the origins check (#​3198)
Important note ⚠️ from Engine.IO 3.2.0 release

There are two non-breaking changes that are somehow quite important:

var engine = require('engine.io');
var server = engine.listen(3000, {
  wsEngine: 'uws'
});
Links:

v2.0.4

Compare Source

Bug fixes

  • do not throw when receiving an unhandled error packet (#​3038)
  • reset rooms object before broadcasting from namespace (#​3039)
Links:

v2.0.3

Compare Source

Bug fixes

  • reset rooms object before broadcasting (#​2970)
  • fix middleware initialization (#​2969)
Links:

v2.0.2

Compare Source

Bug fixes

  • fix timing issues with middleware (#​2948)
Links:

v2.0.1

Compare Source

Bug fixes

- update path of client file (#​2934)

Links:

v2.0.0

Compare Source

This major release brings several performance improvements:

  • uws is now the default Websocket engine. It should bring significant improvement in performance (particularly in terms of memory consumption) (https://github.com/socketio/engine.io/releases/tag/2.0.0)

  • the Engine.IO and Socket.IO handshake packets were merged, reducing the number of roundtrips necessary to establish a connection. (#​2833)

  • it is now possible to provide a custom parser according to the needs of your application (#​2829). Please take a look at the example for more information.

Please note that this release is not backward-compatible, due to:

Please also note that if you are using a self-signed certificate, rejectUnauthorized now defaults to true (socketio/engine.io-client#558).

Finally, the API documentation is now in the repository (here), and the content of the website here. Do not hesitate if you see something wrong or missing!

The full list of changes:

Besides, we are proud to announce that Socket.IO is now a part of open collective: https://opencollective.com/socketio. More on that later.


Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 27f4e0d to 3287060 Compare March 10, 2021 13:22
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 3287060 to f0f12f1 Compare March 20, 2021 09:42
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch 2 times, most recently from 3519ea0 to 2d6e0d9 Compare April 6, 2021 17:18
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 2d6e0d9 to b0bfbd3 Compare April 19, 2021 15:30
@renovate renovate bot changed the title Update dependency socket.io [SECURITY] Update dependency socket.io to v2.4.0 [SECURITY] Apr 19, 2021
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from b0bfbd3 to 512afc5 Compare April 19, 2021 22:24
@renovate renovate bot changed the title Update dependency socket.io to v2.4.0 [SECURITY] Update dependency socket.io [SECURITY] Apr 19, 2021
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 512afc5 to 60c0114 Compare April 20, 2021 13:06
@renovate renovate bot changed the title Update dependency socket.io [SECURITY] Update dependency socket.io to v2.4.0 [SECURITY] Apr 20, 2021
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 60c0114 to f9bbb33 Compare April 20, 2021 17:06
@renovate renovate bot changed the title Update dependency socket.io to v2.4.0 [SECURITY] Update dependency socket.io [SECURITY] Apr 20, 2021
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from f9bbb33 to ea58eda Compare April 20, 2021 18:29
@renovate renovate bot changed the title Update dependency socket.io [SECURITY] Update dependency socket.io to v2.4.0 [SECURITY] Apr 20, 2021
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from ea58eda to a167b48 Compare April 21, 2021 17:56
@renovate renovate bot changed the title Update dependency socket.io to v2.4.0 [SECURITY] Update dependency socket.io [SECURITY] Apr 21, 2021
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from a167b48 to f95d23e Compare April 21, 2021 21:42
@renovate renovate bot changed the title Update dependency socket.io [SECURITY] Update dependency socket.io to v2.4.0 [SECURITY] Apr 21, 2021
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from f95d23e to 51a66f7 Compare April 27, 2021 16:43
@renovate renovate bot changed the title Update dependency socket.io to v2.4.0 [SECURITY] Update dependency socket.io [SECURITY] Apr 27, 2021
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 51a66f7 to 062cb99 Compare April 27, 2021 18:10
@renovate renovate bot changed the title Update dependency socket.io [SECURITY] Update dependency socket.io to v2.4.0 [SECURITY] Apr 27, 2021
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 062cb99 to d51abf0 Compare April 29, 2021 18:47
@renovate renovate bot changed the title Update dependency socket.io to v2.4.0 [SECURITY] Update dependency socket.io [SECURITY] Apr 29, 2021
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from d51abf0 to f48dcfe Compare April 29, 2021 20:42
@renovate renovate bot changed the title Update dependency socket.io [SECURITY] Update dependency socket.io to v2.4.0 [SECURITY] Apr 29, 2021
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from f48dcfe to 77bc16a Compare May 4, 2021 20:50
@renovate renovate bot changed the title Update dependency socket.io to v2.4.0 [SECURITY] Update dependency socket.io [SECURITY] May 4, 2021
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 77bc16a to fb1a173 Compare May 4, 2021 22:05
@renovate renovate bot changed the title Update dependency socket.io [SECURITY] Update dependency socket.io to v2.4.0 [SECURITY] May 4, 2021
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from f35ba92 to 0d3b1ba Compare November 8, 2021 13:24
@renovate renovate bot changed the title Update dependency socket.io to v2 [SECURITY] Update dependency socket.io to v4 [SECURITY] Nov 8, 2021
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 0d3b1ba to 6712ebb Compare November 8, 2021 15:37
@renovate renovate bot changed the title Update dependency socket.io to v4 [SECURITY] Update dependency socket.io to v2 [SECURITY] Nov 8, 2021
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 6712ebb to 34e16ad Compare November 10, 2021 08:54
@renovate renovate bot changed the title Update dependency socket.io to v2 [SECURITY] Update dependency socket.io to v4 [SECURITY] Nov 10, 2021
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 34e16ad to 333b335 Compare November 10, 2021 11:06
@renovate renovate bot changed the title Update dependency socket.io to v4 [SECURITY] Update dependency socket.io to v2 [SECURITY] Nov 10, 2021
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 333b335 to 104beff Compare November 12, 2021 10:14
@renovate renovate bot changed the title Update dependency socket.io to v2 [SECURITY] Update dependency socket.io to v4 [SECURITY] Nov 12, 2021
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 104beff to d2e47ce Compare November 12, 2021 12:07
@renovate renovate bot changed the title Update dependency socket.io to v4 [SECURITY] Update dependency socket.io to v2 [SECURITY] Nov 12, 2021
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from d2e47ce to f9de361 Compare November 12, 2021 23:20
@renovate renovate bot changed the title Update dependency socket.io to v2 [SECURITY] Update dependency socket.io to v4 [SECURITY] Nov 12, 2021
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from f9de361 to 1e3a339 Compare November 13, 2021 00:58
@renovate renovate bot changed the title Update dependency socket.io to v4 [SECURITY] Update dependency socket.io to v2 [SECURITY] Nov 13, 2021
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 1e3a339 to 58f2fe9 Compare November 15, 2021 10:21
@renovate renovate bot changed the title Update dependency socket.io to v2 [SECURITY] Update dependency socket.io to v4 [SECURITY] Nov 15, 2021
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 58f2fe9 to 2a72008 Compare November 15, 2021 11:31
@renovate renovate bot changed the title Update dependency socket.io to v4 [SECURITY] Update dependency socket.io to v2 [SECURITY] Nov 15, 2021
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 2a72008 to 216bb1c Compare November 18, 2021 17:14
@renovate renovate bot changed the title Update dependency socket.io to v2 [SECURITY] Update dependency socket.io to v4 [SECURITY] Nov 18, 2021
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 216bb1c to de96dc9 Compare November 18, 2021 18:38
@renovate renovate bot changed the title Update dependency socket.io to v4 [SECURITY] Update dependency socket.io to v2 [SECURITY] Nov 18, 2021
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from de96dc9 to 961ff64 Compare March 7, 2022 14:14
@renovate renovate bot changed the title Update dependency socket.io to v2 [SECURITY] Update dependency socket.io to v4 [SECURITY] Mar 7, 2022
@renovate renovate bot changed the title Update dependency socket.io to v4 [SECURITY] Update dependency socket.io to v4 [SECURITY] - autoclosed Mar 26, 2022
@renovate renovate bot closed this Mar 26, 2022
@renovate renovate bot deleted the renovate/npm-socket.io-vulnerability branch March 26, 2022 15:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant