Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency socket.io-parser to v4.2.3 [security] #30833

Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

chore(deps): update dependency socket.io-parser to v4.2.3 [security] #30833

wants to merge 2 commits into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jan 7, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
socket.io-parser 4.0.5 -> 4.2.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-32695

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

TypeError: Cannot convert object to primitive value
       at Socket.emit (node:events:507:25)
       at .../node_modules/socket.io/lib/socket.js:531:14

Patches

A fix has been released today (2023/05/22):

Another fix has been released for the 3.3.x branch:

socket.io version socket.io-parser version Needs minor update?
4.5.2...latest ~4.2.0 (ref) npm audit fix should be sufficient
4.1.3...4.5.1 ~4.1.1 (ref) Please upgrade to [email protected]
3.0.5...4.1.2 ~4.0.3 (ref) Please upgrade to [email protected]
3.0.0...3.0.4 ~4.0.1 (ref) Please upgrade to [email protected]
2.3.0...2.5.0 ~3.4.0 (ref) npm audit fix should be sufficient

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

  • Open a discussion here

Thanks to @​rafax00 for the responsible disclosure.

Release Notes

Automattic/socket.io-parser (socket.io-parser)

v4.2.3

Compare Source

⚠️ This release contains an important security fix ⚠️

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

TypeError: Cannot convert object to primitive value
       at Socket.emit (node:events:507:25)
       at .../node_modules/socket.io/lib/socket.js:531:14

Please upgrade as soon as possible.

Bug Fixes
  • check the format of the event name (3b78117)
Links

v4.2.2

Compare Source

Bug Fixes
  • calling destroy() should clear all internal state (22c42e3)
  • do not modify the input packet upon encoding (ae8dd88)
Links

v4.2.1

Compare Source

Bug Fixes
  • check the format of the index of each attachment (b5d0cb7)
Links

v4.2.0

Compare Source

Features
Links

v4.1.2

Compare Source

Bug Fixes
  • allow objects with a null prototype in binary packets (#​114) (7f6b262)
Links

v4.1.1

Compare Source

Links

v4.1.0

Compare Source

Features
  • provide an ESM build with and without debug (388c616)
Links

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

Ben M seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

@cypress-app-bot
Copy link
Collaborator

See the guidelines for reviewing dependency updates for info on how to review dependency update PRs.

@renovate Renovate
Copy link
Contributor Author

renovate bot commented Jan 8, 2025

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
type: dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@CLAassistant @cypress-app-bot