Skip to content

[Snyk] Fix for 5 vulnerabilities#117

Merged
TwistedHardware merged 1 commit intomasterfrom
snyk-fix-7de1bd49d49d2c3845a378c1b07b588b
Nov 13, 2022
Merged

[Snyk] Fix for 5 vulnerabilities#117
TwistedHardware merged 1 commit intomasterfrom
snyk-fix-7de1bd49d49d2c3845a378c1b07b588b

Conversation

@TwistedHardware
Copy link
Copy Markdown
Collaborator

@TwistedHardware TwistedHardware commented Nov 12, 2022

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • static/uadmin/assets/socket.io/package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Denial of Service (DoS)
SNYK-JS-SOCKETIOPARSER-1056752		 Yes Proof of Concept
critical severity 776/1000
Why? Recently disclosed, Has a fix available, CVSS 9.8		 Improper Input Validation
SNYK-JS-SOCKETIOPARSER-3091012		 Yes No Known Exploit
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-WS-1296835		 Yes Proof of Concept
low severity 399/1000
Why? Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
npm:debug:20170905		 Yes No Known Exploit
low severity 399/1000
Why? Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
npm:ms:20170412		 Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: engine.io The new version differs by 26 commits.
  • 935b155 [chore] Release 3.1.0
  • 82ed65f [test] Add test for maxHttpBufferSize option with websocket (#499)
  • 519fb8d [chore] Bump uws to version 0.14.4 (#501)
  • 7edb34e [chore] Bump dependencies (#500)
  • 07d57d5 [chore] Release 3.0.0
  • fb7e2be [chore] Bump dependencies (#498)
  • 57b7e5b [chore] Bump uws to version 0.14.1 (#497)
  • ec5d208 [chore] Merge 2.1.x branch (#494)
  • 120611f [chore] Bump ws to version 2.2.0 (#487)
  • b436ca3 [chore] Drop support for old nodejs versions (0.10 & 0.12) (#493)
  • 783e059 [chore] Release 2.1.0 (#492)
  • 81ef0bc [feat] Add an option to toggle handling of OPTIONS requests (#491)
  • 0946596 [chore] Bump engine.io-parser to version 2.0.1 (#490)
  • b723cae [chore] Bump uws to version 0.13.0 (#489)
  • bd1e81e [chore] Release 2.0.2 (#481)
  • 01e36b4 [chore] Bump ws to version 1.1.2 (vulnerability fix) (#480)
  • 0cbf363 [chore] Release 2.0.1 (#477)
  • cdb487d [fix] Initialize the WebSocket server in the `Server` constructor (#476)
  • 9b4e983 [chore] Release 2.0.0 (#472)
  • 274efa1 [feature] Add an `initialPacket` option (#471)
  • a3496ed [fix] Discard packets when socket is closed (#469)
  • 57ec952 [docs] Fix spelling mistake (#466)
  • bbffbd5 [chore] Bump engine.io-parser to version 2.0.0 (#463)
  • f72f6f3 [fix] `allowRequest` failures now return 403 Forbidden (#452)

See the full diff

Package name: socket.io-client The new version differs by 104 commits.
  • b7e07ba chore(release): 3.0.0
  • ffa2804 chore(release): 3.0.0-rc4
  • 0939395 feat: emit an Error object upon middleware error
  • 969debe refactor: rework of the Manager events
  • a9127ce chore(release): 3.0.0-rc3
  • 13e1db7 refactor: rename ERROR to CONNECT_ERROR
  • 55f464f feat: add support for catch-all listeners
  • 71d6048 feat: add bundle with msgpack parser
  • f3cbe98 refactor: additional typings
  • 7ddad2c feat: add volatile events
  • b600e78 chore(release): 3.0.0-rc2
  • 1789094 feat: move binary detection back to the parser
  • c7998d5 refactor: add Manager and Socket typings
  • 2c7c230 chore: publish the wrapper.mjs file
  • a66473f chore: use socketio GitHub organization
  • 946a9f0 chore: fix test script
  • a838ff1 chore(release): 3.0.0-rc1
  • b68f816 chore: bump debug
  • cbabb03 feat: add ES6 module export
  • e826992 refactor: remove the 'connect_timeout' event
  • b60e909 refactor: remove the 'connecting' event
  • 6494f61 feat: throw upon reserved event names
  • 132f8ec feat: split the events of the Manager and Socket
  • 6cd2e4e refactor: remove the packetBuffer array

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS)
🦉 Improper Input Validation
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn

@TwistedHardware TwistedHardware merged commit bc4f1ee into master Nov 13, 2022
@TwistedHardware TwistedHardware deleted the snyk-fix-7de1bd49d49d2c3845a378c1b07b588b branch November 22, 2022 19:00
@snyk-bot snyk-bot mentioned this pull request Feb 9, 2023
Open
This was referenced May 24, 2023
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TwistedHardware @snyk-bot