Bump ws and engine.io-client#94
Conversation
Bumps [ws](https://github.com/websockets/ws) and [engine.io-client](https://github.com/socketio/socket.io). These dependencies needed to be updated together. Updates `ws` from 8.17.1 to 8.20.1 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.17.1...8.20.1) Updates `engine.io-client` from 6.6.1 to 6.6.5 - [Release notes](https://github.com/socketio/socket.io/releases) - [Changelog](https://github.com/socketio/socket.io/blob/main/CHANGELOG.md) - [Commits](https://github.com/socketio/socket.io/compare/engine.io-client@6.6.1...engine.io-client@6.6.5) --- updated-dependencies: - dependency-name: ws dependency-version: 8.20.1 dependency-type: indirect - dependency-name: engine.io-client dependency-version: 6.6.5 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
![semgrepcode-auth0[bot]](https://avatars.githubusercontent.com/in/977730?s=60&v=4){kind=small}
| }, | ||
| "jsonwebtoken": { | ||
| "node_modules/jsonwebtoken": { |
There was a problem hiding this comment.
Medium severity vulnerability may affect your project—review required:
Line 3735 lists a dependency (jsonwebtoken) with a known Medium severity vulnerability.
ℹ️ Why this matters
Affected versions of jsonwebtoken are vulnerable to Improper Authentication. Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC.
To resolve this comment:
Check if you are using a poorly implemented key retrieval function and your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function..
- If you're affected, upgrade this dependency to at least version 9.0.0 at package-lock.json.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| "version": "1.0.0", | ||
| "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", | ||
| "integrity": "sha1-FQStJSMVjKpA20onh8sBQRmU6k8=", | ||
| "dev": true | ||
| }, | ||
| "fsevents": { | ||
| "node_modules/fsevents": { |
There was a problem hiding this comment.
👿 Malicious dependency detected—remove immediately
The version 1.1.3 of fsevents contains malicious code and is a critical security risk. Upgrade
to 1.2.11 to resolve this issue.
ℹ️ Why this matters
This specific version of fsevents contains malicious code. Upgrade to the safe version immediately.
References: https://osv.dev/vulnerability/MAL-2023-462
To resolve this comment:
Upgrade this dependency to at least version 1.2.11 at package-lock.json.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| "version": "3.1.2", | ||
| "resolved": "https://registry.npmjs.org/@socket.io/component-emitter/-/component-emitter-3.1.2.tgz", | ||
| "integrity": "sha512-9BCxFwvbGg/RsZK9tjXd8s4UcwR0MWeFQ1XEKIQVVvAGJyINdrqKMcTRyLoK8Rse1GjzLV9cwjWV1olXRWEXVA==" | ||
| }, | ||
| "acorn": { | ||
| "node_modules/acorn": { |
There was a problem hiding this comment.
High severity vulnerability may affect your project—review required:
Line 43 lists a dependency (acorn) with a known High severity vulnerability.
ℹ️ Why this matters
Affected versions of acorn are vulnerable to Uncontrolled Resource Consumption. A regular-expression denial-of-service exists in Acorn's RegExp parser: a pattern like /[x-\ud800]/u (an invalid UTF-16 range) causes the parser to spin in an infinite loop. If an application feeds untrusted code directly into Acorn, an attacker can supply such a regex to trigger a CPU-hogging infinite loop and achieve Denial of Service.
References: GHSA
To resolve this comment:
Check if you are using acorn on the CLI.
- If you're affected, upgrade this dependency to at least version 5.7.4 at package-lock.json.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| } | ||
| }, | ||
| "tree-kill": { | ||
| "node_modules/tree-kill": { |
There was a problem hiding this comment.
High severity vulnerability may affect your project—review required:
Line 5314 lists a dependency (tree-kill) with a known High severity vulnerability.
ℹ️ Why this matters
Affected versions of tree-kill are vulnerable to Improper Control of Generation of Code ('Code Injection'). The tree-kill package is vulnerable to command injection on Windows. An attacker can control the unsanitized input passed to the kill function, potentially leading to arbitrary command execution on the host system.
To resolve this comment:
Check if you are using tree-kill Command Line Interface in Windows System.
- If you're affected, upgrade this dependency to at least version 1.2.2 at package-lock.json.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| }, | ||
| "jsonwebtoken": { | ||
| "node_modules/jsonwebtoken": { |
There was a problem hiding this comment.
High severity vulnerability may affect your project—review required:
Line 3735 lists a dependency (jsonwebtoken) with a known High severity vulnerability.
ℹ️ Why this matters
Affected versions of jsonwebtoken are vulnerable to Use Of A Broken Or Risky Cryptographic Algorithm. The library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm.
To resolve this comment:
Check if you are using a legacy, insecure key type with a supported algorithm; for example, DSA keys could be used with the RS256 algorithm.
- If you're affected, upgrade this dependency to at least version 9.0.0 at package-lock.json.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| "ms": "2.0.0" | ||
| } | ||
| }, | ||
| "node_modules/fsevents/node_modules/deep-extend": { |
There was a problem hiding this comment.
Critical severity vulnerability introduced by a package you're using:
Line 2098 lists a dependency (deep-extend) with a known Critical severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
Affected version of deep-extend is vulnerable to Prototype Pollution. Malicious input passed to deep-extend allows an attacker to overwrite the prototype of Object, polluting all JavaScript objects with arbitrary properties. This can lead to Denial of Service or even Remote Code Execution.
To resolve this comment:
Upgrade this dependency to at least version 0.5.1 at package-lock.json.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
|
Superseded by #97. |
Bumps ws and engine.io-client. These dependencies needed to be updated together.
Updates
wsfrom 8.17.1 to 8.20.1Release notes
Sourced from ws's releases.
... (truncated)
Commits
5d9b316[dist] 8.20.1c0327ec[security] Fix uninitialized memory disclosure inwebsocket.close()ce2a3d6[ci] Test on node 2658e45b8[ci] Do not test on node 255f26c24[ci] Run the lint step on node 248439255[dist] 8.20.0d3503c1[minor] Export thePerMessageDeflateclass and header utils3ee5349[api] Convert theisServerandmaxPayloadparameters to options91707b4[doc] Add missing space8b55319[pkg] Update eslint to version 10.0.1Updates
engine.io-clientfrom 6.6.1 to 6.6.5Release notes
Sourced from engine.io-client's releases.
Commits
8413bcechore(release): engine.io-client@6.6.5c10fe07refactor(eio-client): improve JSDoc documentation9349b14refactor(eio-client): remove unused importffe51e2chore(release): engine.io@6.6.8f86b95ffix(eio): clean up resources upon WebTransport handshake failure4276e59refactor(eio): fix typo in thecookieoption5257ef9chore(deps): upgrade to ws@8.20.1 (#5439)439a8f6chore(release): engine.io@6.6.7fc11285fix(eio): close HTTP requests with invalid content typeb059af6refactor(eio): use plain IncomingMessage in the public APIMaintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for engine.io-client since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.