Created by: renovate[bot]
This PR contains the following updates:
Package | Change |
---|---|
engine.io | 3.3.2 -> 3.6.1 |
GitHub Vulnerability Alerts
CVE-2020-36048
Engine.IO before 4.0.0 and 3.6.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.
CVE-2022-41940
Impact
A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.
events.js:292
throw er; // Unhandled 'error' event
^
Error: read ECONNRESET
at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
at emitErrorNT (internal/streams/destroy.js:106:8)
at emitErrorCloseNT (internal/streams/destroy.js:74:3)
at processTicksAndRejections (internal/process/task_queues.js:80:21) {
errno: -104,
code: 'ECONNRESET',
syscall: 'read'
}
This impacts all the users of the engine.io
package, including those who uses depending packages like socket.io
.
Patches
A fix has been released today (2022/11/20):
Version range | Fixed version |
---|---|
engine.io@3.x.y |
3.6.1 |
engine.io@6.x.y |
6.2.1 |
For socket.io
users:
Version range |
engine.io version |
Needs minor update? |
---|---|---|
socket.io@4.5.x |
~6.2.0 |
npm audit fix should be sufficient |
socket.io@4.4.x |
~6.1.0 |
Please upgrade to socket.io@4.5.x
|
socket.io@4.3.x |
~6.0.0 |
Please upgrade to socket.io@4.5.x
|
socket.io@4.2.x |
~5.2.0 |
Please upgrade to socket.io@4.5.x
|
socket.io@4.1.x |
~5.1.1 |
Please upgrade to socket.io@4.5.x
|
socket.io@4.0.x |
~5.0.0 |
Please upgrade to socket.io@4.5.x
|
socket.io@3.1.x |
~4.1.0 |
Please upgrade to socket.io@4.5.x (see here) |
socket.io@3.0.x |
~4.0.0 |
Please upgrade to socket.io@4.5.x (see here) |
socket.io@2.5.0 |
~3.6.0 |
npm audit fix should be sufficient |
socket.io@2.4.x and below |
~3.5.0 |
Please upgrade to socket.io@2.5.0
|
Workarounds
There is no known workaround except upgrading to a safe version.
For more information
If you have any questions or comments about this advisory:
- Open an issue in
engine.io
Thanks to Jonathan Neve for the responsible disclosure.
Configuration
-
If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.