[Snyk] Upgrade socket.io from 4.6.1 to 4.7.1
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to upgrade socket.io from 4.6.1 to 4.7.1.
- The recommended version is 3 versions ahead of your current version.
- The recommended version was released 22 days ago, on 2023-06-28.
The recommended version fixes:
| Severity | Issue | PriorityScore (*) | Exploit Maturity |
|---|---|---|---|
 |
Uncaught Exception SNYK-JS-ENGINEIO-5496331 |
375/1000 Why? CVSS 7.5 |
No Known Exploit |
|
Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795 |
375/1000 Why? CVSS 7.5 |
Proof of Concept |
|
Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-5596892 |
375/1000 Why? CVSS 7.5 |
No Known Exploit |
(*) Note that the real score may have changed since the PR was raised.
Release notes
Package name: socket.io
-
4.7.1 - 2023-06-28
The client bundle contains a few fixes regarding the WebTransport support.
Links
- Diff: 4.7.0...4.7.1
- Client release: 4.7.1
-
engine.io@~6.5.0(no change) -
ws@~8.11.0(no change)
-
4.7.0 - 2023-06-22
Bug Fixes
Features
Support for WebTransport
The Socket.IO server can now use WebTransport as the underlying transport.
WebTransport is a web API that uses the HTTP/3 protocol as a bidirectional transport. It's intended for two-way communications between a web client and an HTTP/3 server.
References:
- https://w3c.github.io/webtransport/
- https://developer.mozilla.org/en-US/docs/Web/API/WebTransport
- https://developer.chrome.com/articles/webtransport/
Until WebTransport support lands in Node.js, you can use the
@ fails-components/webtransportpackage:// WARNING: the total length of the validity period MUST NOT exceed two weeks (https://w3c.github.io/webtransport/#custom-certificate-requirements) const cert = readFileSync("/path/to/my/cert.pem"); const key = readFileSync("/path/to/my/key.pem");const httpsServer = createServer({ key, cert });
httpsServer.listen(3000);
const io = new Server(httpsServer, { transports: ["polling", "websocket", "webtransport"] // WebTransport is not enabled by default });
const h3Server = new Http3Server({ port: 3000, host: "0.0.0.0", secret: "changeit", cert, privKey: key, });
(async () => { const stream = await h3Server.sessionStream("/socket.io/"); const sessionReader = stream.getReader();
while (true) { const { done, value } = await sessionReader.read(); if (done) { break; } io.engine.onWebTransportSession(value); } })();
h3Server.startServer();">
import { readFileSync } from "fs"; import { createServer } from "https"; import { Server } from "socket.io"; import { Http3Server } from "@ fails-components/webtransport";
// WARNING: the total length of the validity period MUST NOT exceed two weeks (https://w3c.github.io/webtransport/#custom-certificate-requirements) const cert = readFileSync("/path/to/my/cert.pem"); const key = readFileSync("/path/to/my/key.pem");
const httpsServer = createServer({ key, cert });
httpsServer.listen(3000);
const io = new Server(httpsServer, { transports: ["polling", "websocket", "webtransport"] // WebTransport is not enabled by default });
const h3Server = new Http3Server({ port: 3000, host: "0.0.0.0", secret: "changeit", cert, privKey: key, });
(async () => { const stream = await h3Server.sessionStream("/socket.io/"); const sessionReader = stream.getReader();
while (true) { const { done, value } = await sessionReader.read(); if (done) { break; } io.engine.onWebTransportSession(value); } })();
h3Server.startServer();
Added in 123b68c.
Client bundles with CORS headers
The bundles will now have the right
Access-Control-Allow-xxxheaders.Added in 63f181c.
Links
- Diff: 4.6.2...4.7.0
- Client release: 4.7.0
-
engine.io@~6.5.0(diff) -
ws@~8.11.0(no change)
-
4.6.2 - 2023-05-31
Bug Fixes
Links
- Diff: 4.6.1...4.6.2
- Client release: 4.6.2
-
engine.io@~6.4.2(diff) -
ws@~8.11.0(no change)
-
4.6.1 - 2023-02-20
Bug Fixes
- properly handle manually created dynamic namespaces (0d0a7a2)
- types: fix nodenext module resolution compatibility (#4625) (d0b22c6)
Links
- Diff: 4.6.0...4.6.1
- Client release: 4.6.1
-
engine.io@~6.4.1(diff) -
ws@~8.11.0(no change)
Commit messages
Package name: socket.io
- 2f6cc2f chore(release): 4.7.1
- 00d8ee5 chore(release): 4.7.0
- 2dd5fa9 ci: add Node.js 20 in the test matrix
- a5dff0a docs(examples): increase httpd ProxyTimeout value (2)
- 3035c25 docs(examples): increase httpd ProxyTimeout value
- 63f181c feat: serve client bundles with CORS headers
- a250e28 chore: bump engine.io to version 6.5.0
- e5c62ca fix: remove the Partial modifier from the socket.data type (#4740)
- 01d3762 docs(changelog): update the version range of the engine.io dependency
- faf914c chore(release): 4.6.2
- 15af22f refactor: add a noop handler for the error event
- d365894 chore: bump socket.io-parser to version 4.2.3
- 12b0de4 chore: bump engine.io to version 6.4.2
- 3d44aae fix(exports): move `types` condition to the top (#4698)
- cbf0362 docs(examples): bump dependencies for the private messaging example
- 59280da docs(examples): update examples to docker compose v2
- 50a4d37 docs(changelog): add version of transitive dependencies
- 6458b2b docs(example): basic WebSocket-only client
- b56da8a docs(examples): upgrade to React 18
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information: 