-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update dependency socket.io to v4 [SECURITY] - autoclosed #751
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
March 10, 2021 13:22
27f4e0d
to
3287060
Compare
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
March 20, 2021 09:42
3287060
to
f0f12f1
Compare
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
2 times, most recently
from
April 6, 2021 17:18
3519ea0
to
2d6e0d9
Compare
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
April 19, 2021 15:30
2d6e0d9
to
b0bfbd3
Compare
renovate
bot
changed the title
Update dependency socket.io [SECURITY]
Update dependency socket.io to v2.4.0 [SECURITY]
Apr 19, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
April 19, 2021 22:24
b0bfbd3
to
512afc5
Compare
renovate
bot
changed the title
Update dependency socket.io to v2.4.0 [SECURITY]
Update dependency socket.io [SECURITY]
Apr 19, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
April 20, 2021 13:06
512afc5
to
60c0114
Compare
renovate
bot
changed the title
Update dependency socket.io [SECURITY]
Update dependency socket.io to v2.4.0 [SECURITY]
Apr 20, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
April 20, 2021 17:06
60c0114
to
f9bbb33
Compare
renovate
bot
changed the title
Update dependency socket.io to v2.4.0 [SECURITY]
Update dependency socket.io [SECURITY]
Apr 20, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
April 20, 2021 18:29
f9bbb33
to
ea58eda
Compare
renovate
bot
changed the title
Update dependency socket.io [SECURITY]
Update dependency socket.io to v2.4.0 [SECURITY]
Apr 20, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
April 21, 2021 17:56
ea58eda
to
a167b48
Compare
renovate
bot
changed the title
Update dependency socket.io to v2.4.0 [SECURITY]
Update dependency socket.io [SECURITY]
Apr 21, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
April 21, 2021 21:42
a167b48
to
f95d23e
Compare
renovate
bot
changed the title
Update dependency socket.io [SECURITY]
Update dependency socket.io to v2.4.0 [SECURITY]
Apr 21, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
April 27, 2021 16:43
f95d23e
to
51a66f7
Compare
renovate
bot
changed the title
Update dependency socket.io to v2.4.0 [SECURITY]
Update dependency socket.io [SECURITY]
Apr 27, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
April 27, 2021 18:10
51a66f7
to
062cb99
Compare
renovate
bot
changed the title
Update dependency socket.io [SECURITY]
Update dependency socket.io to v2.4.0 [SECURITY]
Apr 27, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
April 29, 2021 18:47
062cb99
to
d51abf0
Compare
renovate
bot
changed the title
Update dependency socket.io to v2.4.0 [SECURITY]
Update dependency socket.io [SECURITY]
Apr 29, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
April 29, 2021 20:42
d51abf0
to
f48dcfe
Compare
renovate
bot
changed the title
Update dependency socket.io [SECURITY]
Update dependency socket.io to v2.4.0 [SECURITY]
Apr 29, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
May 4, 2021 20:50
f48dcfe
to
77bc16a
Compare
renovate
bot
changed the title
Update dependency socket.io to v2.4.0 [SECURITY]
Update dependency socket.io [SECURITY]
May 4, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
May 4, 2021 22:05
77bc16a
to
fb1a173
Compare
renovate
bot
changed the title
Update dependency socket.io [SECURITY]
Update dependency socket.io to v2.4.0 [SECURITY]
May 4, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
November 8, 2021 13:24
f35ba92
to
0d3b1ba
Compare
renovate
bot
changed the title
Update dependency socket.io to v2 [SECURITY]
Update dependency socket.io to v4 [SECURITY]
Nov 8, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
November 8, 2021 15:37
0d3b1ba
to
6712ebb
Compare
renovate
bot
changed the title
Update dependency socket.io to v4 [SECURITY]
Update dependency socket.io to v2 [SECURITY]
Nov 8, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
November 10, 2021 08:54
6712ebb
to
34e16ad
Compare
renovate
bot
changed the title
Update dependency socket.io to v2 [SECURITY]
Update dependency socket.io to v4 [SECURITY]
Nov 10, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
November 10, 2021 11:06
34e16ad
to
333b335
Compare
renovate
bot
changed the title
Update dependency socket.io to v4 [SECURITY]
Update dependency socket.io to v2 [SECURITY]
Nov 10, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
November 12, 2021 10:14
333b335
to
104beff
Compare
renovate
bot
changed the title
Update dependency socket.io to v2 [SECURITY]
Update dependency socket.io to v4 [SECURITY]
Nov 12, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
November 12, 2021 12:07
104beff
to
d2e47ce
Compare
renovate
bot
changed the title
Update dependency socket.io to v4 [SECURITY]
Update dependency socket.io to v2 [SECURITY]
Nov 12, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
November 12, 2021 23:20
d2e47ce
to
f9de361
Compare
renovate
bot
changed the title
Update dependency socket.io to v2 [SECURITY]
Update dependency socket.io to v4 [SECURITY]
Nov 12, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
November 13, 2021 00:58
f9de361
to
1e3a339
Compare
renovate
bot
changed the title
Update dependency socket.io to v4 [SECURITY]
Update dependency socket.io to v2 [SECURITY]
Nov 13, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
November 15, 2021 10:21
1e3a339
to
58f2fe9
Compare
renovate
bot
changed the title
Update dependency socket.io to v2 [SECURITY]
Update dependency socket.io to v4 [SECURITY]
Nov 15, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
November 15, 2021 11:31
58f2fe9
to
2a72008
Compare
renovate
bot
changed the title
Update dependency socket.io to v4 [SECURITY]
Update dependency socket.io to v2 [SECURITY]
Nov 15, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
November 18, 2021 17:14
2a72008
to
216bb1c
Compare
renovate
bot
changed the title
Update dependency socket.io to v2 [SECURITY]
Update dependency socket.io to v4 [SECURITY]
Nov 18, 2021
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
November 18, 2021 18:38
216bb1c
to
de96dc9
Compare
renovate
bot
changed the title
Update dependency socket.io to v4 [SECURITY]
Update dependency socket.io to v2 [SECURITY]
Nov 18, 2021
Signed-off-by: Renovate Bot <[email protected]>
renovate
bot
force-pushed
the
renovate/npm-socket.io-vulnerability
branch
from
March 7, 2022 14:14
de96dc9
to
961ff64
Compare
renovate
bot
changed the title
Update dependency socket.io to v2 [SECURITY]
Update dependency socket.io to v4 [SECURITY]
Mar 7, 2022
renovate
bot
changed the title
Update dependency socket.io to v4 [SECURITY]
Update dependency socket.io to v4 [SECURITY] - autoclosed
Mar 26, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^1.7.4
->^4.4.1
GitHub Vulnerability Alerts
CVE-2020-28481
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
Release Notes
socketio/socket.io
v4.4.1
Compare Source
Bug Fixes
RemoteSocket.data
type safe (#4234) (770ee59)SocketData
type to custom namespaces (#4233) (f2b8de7)v4.4.0
Compare Source
Bug Fixes
Features
socket.data
(#4159) (fe8730c)4.3.2 (2021-11-08)
Bug Fixes
4.3.1 (2021-10-16)
Bug Fixes
v4.3.2
Compare Source
Bug Fixes
v4.3.1
Compare Source
Bug Fixes
v4.3.0
Compare Source
Bug Fixes
Features
v4.2.0
Compare Source
Bug Fixes
Features
4.1.3 (2021-07-10)
Bug Fixes
4.1.2 (2021-05-17)
Bug Fixes
4.1.1 (2021-05-11)
Bug Fixes
v4.1.3
Compare Source
Bug Fixes
v4.1.2
Compare Source
Bug Fixes
v4.1.1
Compare Source
Bug Fixes
v4.1.0
Compare Source
Features
engine.io
)engine.io
)Performance Improvements
4.0.2 (2021-05-06)
Bug Fixes
4.0.1 (2021-03-31)
Bug Fixes
v4.0.2
Compare Source
Bug Fixes
v4.0.1
Compare Source
Bug Fixes
v4.0.0
Compare Source
Bug Fixes
Features
3.1.2 (2021-02-26)
Bug Fixes
3.1.1 (2021-02-03)
Bug Fixes
v3.1.2
Compare Source
Bug Fixes
v3.1.1
Compare Source
Bug Fixes
v3.1.0
Compare Source
Features
Bug Fixes
3.0.5 (2021-01-05)
Bug Fixes
Reverts
3.0.4 (2020-12-07)
3.0.3 (2020-11-19)
3.0.2 (2020-11-17)
Bug Fixes
3.0.1 (2020-11-09)
Bug Fixes
v3.0.5
Compare Source
Bug Fixes
Reverts
v3.0.4
Compare Source
v3.0.3
Compare Source
v3.0.2
Compare Source
Bug Fixes
v3.0.1
Compare Source
Bug Fixes
v3.0.0
Compare Source
Bug Fixes
Features
BREAKING CHANGES
the Socket#use() method is removed (see 5c73733)
Socket#join() and Socket#leave() do not accept a callback argument anymore.
Before:
After:
Before:
The 'origins' option was used in the allowRequest method, in order to
determine whether the request should pass or not. And the Engine.IO
server would implicitly add the necessary Access-Control-Allow-xxx
headers.
After:
The already existing 'allowRequest' option can be used for validation:
Socket#rooms is now a Set instead of an object
Namespace#connected is now a Map instead of an object
there is no more implicit connection to the default namespace:
This method was kept for backward-compatibility with pre-1.0 versions.
v2.4.1
Compare Source
This release reverts the breaking change introduced in
2.4.0
(socketio/socket.io@f78a575).If you are using Socket.IO v2, you should explicitly allow/disallow cross-origin requests:
In any case, please consider upgrading to Socket.IO v3, where this security issue is now fixed (CORS is disabled by default).
Reverts
Links:
~3.5.0
~7.4.2
v2.4.0
Compare Source
Related blog post: https://socket.io/blog/socket-io-2-4-0/
Features (from Engine.IO)
Bug Fixes
Previously, CORS was enabled by default, which meant that a Socket.IO server sent the necessary CORS headers (
Access-Control-Allow-xxx
) to any domain. This will not be the case anymore, and you now have to explicitly enable it.Please note that you are not impacted if:
origins
option to restrict the list of allowed domainsThis commit also removes the support for '*' matchers and protocol-less URL:
To restore the previous behavior (please use with caution):
See also:
Thanks a lot to @ni8walk3r for the security report.
Links:
~3.5.0
~7.4.2
v2.3.0
Compare Source
This release mainly contains a bump of the
engine.io
andws
packages, but no additional features.Links:
~3.4.0
(diff: socketio/engine.io@3.3.1...3.4.2)^7.1.2
(diff: websockets/ws@6.1.2...7.3.1)v2.2.0
Compare Source
Features
Bug fixes
Links
~3.3.1
(diff: socketio/engine.io@3.2.0...3.3.1)~6.1.0
(diff: websockets/ws@3.3.1...6.1.2)v2.1.1
Compare Source
Features
Bug fixes
(client) fire an error event on middleware failure for non-root namespace (socketio/socket.io-client#1202)
Links:
~3.2.0
~3.3.1
v2.1.0
Compare Source
Features
Bug fixes
Important note⚠️ from Engine.IO 3.2.0 release
There are two non-breaking changes that are somehow quite important:
ws
was reverted as the default wsEngine ([chore] Revert tows
as default wsEngine socketio/engine.io#550), as there was several blocking issues withuws
. You can still useuws
by runningnpm install uws --save
in your project and using thewsEngine
option:pingTimeout
now defaults to 5 seconds (instead of 60 seconds): [chore] Update default value of pingTimeout socketio/engine.io#551Links:
~3.2.0
(diff: socketio/engine.io@3.1.0...3.2.0)~3.3.1
(diff: websockets/ws@2.3.1...3.3.1)v2.0.4
Compare Source
Bug fixes
Links:
engine.io
: -ws
: -v2.0.3
Compare Source
Bug fixes
Links:
engine.io
: -ws
: -v2.0.2
Compare Source
Bug fixes
Links:
engine.io
: -ws
: -v2.0.1
Compare Source
Bug fixes
- update path of client file (#2934)
Links:
engine.io
: -ws
: -v2.0.0
Compare Source
This major release brings several performance improvements:
uws is now the default Websocket engine. It should bring significant improvement in performance (particularly in terms of memory consumption) (https://github.com/socketio/engine.io/releases/tag/2.0.0)
the Engine.IO and Socket.IO handshake packets were merged, reducing the number of roundtrips necessary to establish a connection. (#2833)
it is now possible to provide a custom parser according to the needs of your application (#2829). Please take a look at the example for more information.
Please note that this release is not backward-compatible, due to:
Please also note that if you are using a self-signed certificate,
rejectUnauthorized
now defaults totrue
(socketio/engine.io-client#558).Finally, the API documentation is now in the repository (here), and the content of the website here. Do not hesitate if you see something wrong or missing!
The full list of changes:
local
flag (#2816)clients
method in the API documentation (#2812)Besides, we are proud to announce that Socket.IO is now a part of open collective: https://opencollective.com/socketio. More on that later.
Configuration
📅 Schedule: "" (UTC).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.