[dist] Update dependency engine.io to 3.6.1 [SECURITY] (!1577) · Merge requests · http ... PARTY! / node-http-proxy

Open Administrator requested to merge renovate/npm-engine.io-vulnerability into master Mar 07, 2022

Created by: renovate[bot]

This PR contains the following updates:

Package	Change
engine.io	`3.3.2` -> `3.6.1`

GitHub Vulnerability Alerts

CVE-2020-36048

Engine.IO before 4.0.0 and 3.6.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.

CVE-2022-41940

Impact

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

events.js:292
      throw er; // Unhandled 'error' event
      ^

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.

Patches

A fix has been released today (2022/11/20):

Version range	Fixed version
`engine.io@3.x.y`	`3.6.1`
`engine.io@6.x.y`	`6.2.1`

For socket.io users:

Version range	`engine.io` version	Needs minor update?
`socket.io@4.5.x`	`~6.2.0`	`npm audit fix` should be sufficient
`socket.io@4.4.x`	`~6.1.0`	Please upgrade to `socket.io@4.5.x`
`socket.io@4.3.x`	`~6.0.0`	Please upgrade to `socket.io@4.5.x`
`socket.io@4.2.x`	`~5.2.0`	Please upgrade to `socket.io@4.5.x`
`socket.io@4.1.x`	`~5.1.1`	Please upgrade to `socket.io@4.5.x`
`socket.io@4.0.x`	`~5.0.0`	Please upgrade to `socket.io@4.5.x`
`socket.io@3.1.x`	`~4.1.0`	Please upgrade to `socket.io@4.5.x` (see here)
`socket.io@3.0.x`	`~4.0.0`	Please upgrade to `socket.io@4.5.x` (see here)
`socket.io@2.5.0`	`~3.6.0`	`npm audit fix` should be sufficient
`socket.io@2.4.x` and below	`~3.5.0`	Please upgrade to `socket.io@2.5.0`

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open an issue in engine.io

Thanks to Jonathan Neve for the responsible disclosure.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.