[Snyk] Upgrade socket.io from 4.4.1 to 4.7.2

[okdargy]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade socket.io from 4.4.1 to 4.7.2.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 12 versions ahead of your current version.
• The recommended version was released 4 months ago, on 2023-08-02.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Denial of Service (DoS) SNYK-JS-ENGINEIO-3136336	589/1000 Why? Has a fix available, CVSS 7.5	No Known Exploit
	Uncaught Exception SNYK-JS-ENGINEIO-5496331	589/1000 Why? Has a fix available, CVSS 7.5	No Known Exploit
	Improper Input Validation SNYK-JS-SOCKETIOPARSER-3091012	589/1000 Why? Has a fix available, CVSS 7.5	No Known Exploit
	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-5596892	589/1000 Why? Has a fix available, CVSS 7.5	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: socket.io

• 4.7.2 - 2023-08-02
  

  Bug Fixes

  • clean up child namespace when client is rejected in middleware (#4773) (0731c0d)
  • webtransport: properly handle WebTransport-only connections (3468a19)
  • webtransport: add proper framing (a306db0)

  Links

  • Diff: 4.7.1...4.7.2
  • Client release: 4.7.2
  • engine.io@~6.5.2 (diff)
  • ws@~8.11.0 (no change)
• 4.7.1 - 2023-06-28
  

  The client bundle contains a few fixes regarding the WebTransport support.

  Links

  • Diff: 4.7.0...4.7.1
  • Client release: 4.7.1
  • engine.io@~6.5.0 (no change)
  • ws@~8.11.0 (no change)
• 4.7.0 - 2023-06-22
  

  Bug Fixes

  • remove the Partial modifier from the socket.data type (#4740) (e5c62ca)

  Features

  Support for WebTransport

  The Socket.IO server can now use WebTransport as the underlying transport.

  WebTransport is a web API that uses the HTTP/3 protocol as a bidirectional transport. It's intended for two-way communications between a web client and an HTTP/3 server.

  References:

  • https://w3c.github.io/webtransport/
  • https://developer.mozilla.org/en-US/docs/Web/API/WebTransport
  • https://developer.chrome.com/articles/webtransport/

  Until WebTransport support lands in Node.js, you can use the @ fails-components/webtransport package:

  https://w3c.github.io/webtransport/#custom-certificate-requirements)
  const cert = readFileSync("/path/to/my/cert.pem");
  const key = readFileSync("/path/to/my/key.pem");

  const httpsServer = createServer({
  key,
  cert
  });

  httpsServer.listen(3000);

  const io = new Server(httpsServer, {
  transports: ["polling", "websocket", "webtransport"] // WebTransport is not enabled by default
  });

  const h3Server = new Http3Server({
  port: 3000,
  host: "0.0.0.0",
  secret: "changeit",
  cert,
  privKey: key,
  });

  (async () => {
  const stream = await h3Server.sessionStream("/socket.io/");
  const sessionReader = stream.getReader();

  while (true) {
  const { done, value } = await sessionReader.read();
  if (done) {
  break;
  }
  io.engine.onWebTransportSession(value);
  }
  })();

  h3Server.startServer();">

  import { readFileSync } from "fs";
  
  import { createServer } from "https";
  
  import { Server } from "socket.io";
  
  import { Http3Server } from "@ fails-components/webtransport";
  
  // WARNING: the total length of the validity period MUST NOT exceed two weeks (https://w3c.github.io/webtransport/#custom-certificate-requirements)
  
  const cert = readFileSync("/path/to/my/cert.pem");
  
  const key = readFileSync("/path/to/my/key.pem");
  const httpsServer = createServer({
  
  key,
  
  cert
  
  });
  httpsServer.listen(3000);
  const io = new Server(httpsServer, {
  
  transports: ["polling", "websocket", "webtransport"] // WebTransport is not enabled by default
  
  });
  const h3Server = new Http3Server({
  
  port: 3000,
  
  host: "0.0.0.0",
  
  secret: "changeit",
  
  cert,
  
  privKey: key,
  
  });
  (async () => {
  
  const stream = await h3Server.sessionStream("/socket.io/");
  
  const sessionReader = stream.getReader();
  while (true) {
  
  const { done, value } = await sessionReader.read();
  
  if (done) {
  
  break;
  
  }
  
  io.engine.onWebTransportSession(value);
  
  }
  
  })();
  h3Server.startServer();

  Added in 123b68c.

  Client bundles with CORS headers

  The bundles will now have the right Access-Control-Allow-xxx headers.

  Added in 63f181c.

  Links

  • Diff: 4.6.2...4.7.0
  • Client release: 4.7.0
  • engine.io@~6.5.0 (diff)
  • ws@~8.11.0 (no change)
• 4.6.2 - 2023-05-31
  

  Bug Fixes

  • exports: move types condition to the top (#4698) (3d44aae)

  Links

  • Diff: 4.6.1...4.6.2
  • Client release: 4.6.2
  • engine.io@~6.4.2 (diff)
  • ws@~8.11.0 (no change)
• 4.6.1 - 2023-02-20
  

  Bug Fixes

  • properly handle manually created dynamic namespaces (0d0a7a2)
  • types: fix nodenext module resolution compatibility (#4625) (d0b22c6)

  Links

  • Diff: 4.6.0...4.6.1
  • Client release: 4.6.1
  • engine.io@~6.4.1 (diff)
  • ws@~8.11.0 (no change)
• 4.6.0 - 2023-02-07
  Read more
• 4.6.0-alpha1 - 2023-01-25
  

  The RemoteSocket interface, which is returned when the client is
  connected on another Socket.IO server of the cluster, was lacking the
  timeout() method.

  Syntax:

  const sockets = await io.fetchSockets();

  for (const socket of sockets) {
  if (someCondition) {
  socket.timeout(1000).emit("some-event", (err) => {
  if (err) {
  // the client did not acknowledge the event in the given delay
  }
  });
  }
  }

  Related: #4595

• 4.5.4 - 2022-11-22
  

  This release contains a bump of:

  • engine.io in order to fix CVE-2022-41940
  • socket.io-parser in order to fix CVE-2022-2421.

  Links:

  • Diff: 4.5.3...4.5.4
  • Client release: 4.5.4
  • engine.io@~6.2.1 (diff)
  • ws@~8.2.3
• 4.5.3 - 2022-10-15
  

  Bug Fixes

  • typings: accept an HTTP2 server in the constructor (d3d0a2d)
  • typings: apply types to "io.timeout(...).emit()" calls (e357daf)

  Links:

  • Diff: 4.5.2...4.5.3
  • Client release: 4.5.3
  • engine.io version: ~6.2.0
  • ws version: ~8.2.3
• 4.5.2 - 2022-09-02
  

  Bug Fixes

  • prevent the socket from joining a room after disconnection (18f3fda)
  • uws: prevent the server from crashing after upgrade (ba497ee)

  Links:

  • Diff: 4.5.1...4.5.2
  • Client release: 4.5.2
  • engine.io version: ~6.2.0
  • ws version: ~8.2.3
• 4.5.1 - 2022-05-17
• 4.5.0 - 2022-04-23
• 4.4.1 - 2022-01-06

from socket.io GitHub release notes

Commit messages

Package name: socket.io

• c332643 chore(release): 4.7.2
• 3468a19 fix(webtransport): properly handle WebTransport-only connections
• 09d4549 chore: bump engine.io to version 6.5.2
• 0731c0d fix: clean up child namespace when client is rejected in middleware (#4773)
• 03046a6 docs: update the list of supported Node.js versions
• 443e447 docs(examples): add example with WebTransport
• 2f6cc2f chore(release): 4.7.1
• 00d8ee5 chore(release): 4.7.0
• 2dd5fa9 ci: add Node.js 20 in the test matrix
• a5dff0a docs(examples): increase httpd ProxyTimeout value (2)
• 3035c25 docs(examples): increase httpd ProxyTimeout value
• 63f181c feat: serve client bundles with CORS headers
• a250e28 chore: bump engine.io to version 6.5.0
• e5c62ca fix: remove the Partial modifier from the socket.data type (#4740)
• 01d3762 docs(changelog): update the version range of the engine.io dependency
• faf914c chore(release): 4.6.2
• 15af22f refactor: add a noop handler for the error event
• d365894 chore: bump socket.io-parser to version 4.2.3
• 12b0de4 chore: bump engine.io to version 6.4.2
• 3d44aae fix(exports): move `types` condition to the top (#4698)
• cbf0362 docs(examples): bump dependencies for the private messaging example
• 59280da docs(examples): update examples to docker compose v2
• 50a4d37 docs(changelog): add version of transitive dependencies
• 6458b2b docs(example): basic WebSocket-only client

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs