[Snyk] Upgrade socket.io from 1.3.7 to 3.0.3 #1

snyk-bot · 2020-12-10T21:43:33Z

Snyk has created this PR to upgrade socket.io from 1.3.7 to 3.0.3.

✨ Snyk has automatically assigned this pull request, set who gets assigned.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Warning: This is a major version upgrade, and may be a breaking change.

The recommended version is 34 versions ahead of your current version.
The recommended version was released 22 days ago, on 2020-11-19.

The recommended version fixes:

Issue	PriorityScore (*)	Exploit Maturity
Denial of Service (DoS) npm:ws:20171108	761/1000 Why? Mature exploit, Has a fix available, CVSS 7.5	Mature
Denial of Service (DoS) npm:ws:20160624	761/1000 Why? Mature exploit, Has a fix available, CVSS 7.5	No Known Exploit
Regular Expression Denial of Service (ReDoS) npm:parsejson:20170908	761/1000 Why? Mature exploit, Has a fix available, CVSS 7.5	No Known Exploit
Insecure Defaults npm:engine.io-client:20160426	761/1000 Why? Mature exploit, Has a fix available, CVSS 7.5	No Known Exploit
Insecure Randomness npm:ws:20160920	761/1000 Why? Mature exploit, Has a fix available, CVSS 7.5	No Known Exploit
Remote Memory Exposure npm:ws:20160104	761/1000 Why? Mature exploit, Has a fix available, CVSS 7.5	No Known Exploit
Regular Expression Denial of Service (ReDoS) npm:ms:20151024	761/1000 Why? Mature exploit, Has a fix available, CVSS 7.5	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: socket.io

3.0.3 - 2020-11-19
Links:
- Milestone: -
- Diff: 3.0.2...3.0.3
- Client release: 3.0.3
- engine.io version: ~4.0.0
- ws version: ^7.1.2
3.0.2 - 2020-11-17
Bug Fixes
- merge Engine.IO options (43705d7)
Links:
- Milestone: 3.0.2
- Diff: 3.0.1...3.0.2
- Client release: 3.0.2
- engine.io version: ~4.0.0
- ws version: ^7.1.2
3.0.1 - 2020-11-09
Bug Fixes
- export ServerOptions and Namespace types (#3684) (f62f180)
- typings: update the signature of the emit method (50671d9)
Links:
- Milestone: 3.0.1
- Diff: 3.0.0...3.0.1
- Client release: 3.0.1
- engine.io version: ~4.0.0
- ws version: ^7.1.2
3.0.0 - 2020-11-05
More details about this release in the blog post: https://socket.io/blog/socket-io-3-release/

Dedicated migration guide: https://socket.io/docs/migrating-from-2-x-to-3-0/

Bug Fixes
- close clients with no namespace (91cd255)
Features
- emit an Error object upon middleware error (54bf4a4)
- serve msgpack bundle (aa7574f)
- add support for catch-all listeners (5c73733)
- make Socket#join() and Socket#leave() synchronous (129c641)
- remove prod dependency to socket.io-client (7603da7)
- move binary detection back to the parser (669592d)
- add ES6 module export (8b6b100)
- do not reuse the Engine.IO id (2875d2c)
- remove Server#set() method (029f478)
- remove Socket#rooms object (1507b41)
- remove the 'origins' option (a8c0600)
- remove the implicit connection to the default namespace (3289f7e)
- throw upon reserved event names (4bd5b23)
BREAKING CHANGES
- the Socket#use() method is removed (see 5c73733)
- Socket#join() and Socket#leave() do not accept a callback argument anymore.
Before:
```
socket.join("room1", () => {
 io.to("room1").emit("hello");
});
```
After:
```
socket.join("room1");
io.to("room1").emit("hello");
// or await socket.join("room1"); for custom adapters
```
- the "connected" map is renamed to "sockets"
- the Socket#binary() method is removed, as this use case is now covered by the ability to provide your own parser.
- the 'origins' option is removed
Before:
```
new Server(3000, {
  origins: ["https://example.com"]
});
```
The 'origins' option was used in the allowRequest method, in order to
determine whether the request should pass or not. And the Engine.IO
server would implicitly add the necessary Access-Control-Allow-xxx
headers.

After:
```
new Server(3000, {
  cors: {
    origin: "https://example.com",
    methods: ["GET", "POST"],
    allowedHeaders: ["content-type"]
  }
});
```
The already existing 'allowRequest' option can be used for validation:
```
new Server(3000, {
  allowRequest: (req, callback) => {
    callback(null, req.headers.referer.startsWith("https://example.com"));
  }
});
```
- Socket#rooms is now a Set instead of an object
- Namespace#connected is now a Map instead of an object
- there is no more implicit connection to the default namespace:
```
// client-side
const socket = io("/admin");
// server-side

io.on("connect", socket => {

// not triggered anymore

})
io.use((socket, next) => {

// not triggered anymore

});
io.of("/admin").use((socket, next) => {

// triggered

});
```
- the Server#set() method was removed
This method was kept for backward-compatibility with pre-1.0 versions.

Links:
- Milestone: 3.0.0
- Diff: 2.3.0...3.0.0
- Client release: 3.0.0
- engine.io version: ~4.0.0
- ws version: ^7.1.2
3.0.0-rc4 - 2020-10-30
Features
- emit an Error object upon middleware error (54bf4a4)
- serve msgpack bundle (aa7574f)
Links:
- Milestone: 3.0.0
- Diff: 3.0.0-rc3...3.0.0-rc4
- Client release: 3.0.0-rc4
- engine.io version: ~4.0.0
- ws version: ^7.1.2
3.0.0-rc3 - 2020-10-26
Features
- add support for catch-all listeners (5c73733)
- make Socket#join() and Socket#leave() synchronous (129c641)
- remove prod dependency to socket.io-client (7603da7)
BREAKING CHANGES
- the Socket#use() method is removed (see 5c73733)
- Socket#join() and Socket#leave() do not accept a callback argument anymore.
Before:
```
socket.join("room1", () => {
 io.to("room1").emit("hello");
});
```
After:
```
socket.join("room1");
io.to("room1").emit("hello");
// or await socket.join("room1"); for custom adapters
```
Links:
- Milestone: 3.0.0
- Diff: 3.0.0-rc2...3.0.0-rc3
- Client release: 3.0.0-rc3
- engine.io version: ~4.0.0
- ws version: ^7.1.2
3.0.0-rc2 - 2020-10-15
Bug Fixes
- close clients with no namespace (91cd255)
Code Refactoring
- remove duplicate _sockets map (8a5db7f)
Features
- move binary detection back to the parser (669592d)
BREAKING CHANGES
- the "connected" map is renamed to "sockets"
- the Socket#binary() method is removed, as this use case is now covered by the ability to provide your own parser.
Links:
- Milestone: 3.0.0
- Diff: 3.0.0-rc1...3.0.0-rc2
- Client release: 3.0.0-rc2
- engine.io version: ~4.0.0
- ws version: ^7.1.2
3.0.0-rc1 - 2020-10-13
Features
- add ES6 module export (8b6b100)
- do not reuse the Engine.IO id (2875d2c)
- remove Server#set() method (029f478)
- remove Socket#rooms object (1507b41)
- remove the 'origins' option (a8c0600)
- remove the implicit connection to the default namespace (3289f7e)
- throw upon reserved event names (4bd5b23)
BREAKING CHANGES
- the 'origins' option is removed
Before:
```
new Server(3000, {
  origins: ["https://example.com"]
});
```
The 'origins' option was used in the allowRequest method, in order to
determine whether the request should pass or not. And the Engine.IO
server would implicitly add the necessary Access-Control-Allow-xxx
headers.

After:
```
new Server(3000, {
  cors: {
    origin: "https://example.com",
    methods: ["GET", "POST"],
    allowedHeaders: ["content-type"]
  }
});
```
The already existing 'allowRequest' option can be used for validation:
```
new Server(3000, {
  allowRequest: (req, callback) => {
    callback(null, req.headers.referer.startsWith("https://example.com"));
  }
});
```
- Socket#rooms is now a Set instead of an object
- Namespace#connected is now a Map instead of an object
- there is no more implicit connection to the default namespace:
```
// client-side
const socket = io("/admin");
// server-side

io.on("connect", socket => {

// not triggered anymore

})
io.use((socket, next) => {

// not triggered anymore

});
io.of("/admin").use((socket, next) => {

// triggered

});
```
- the Server#set() method was removed
This method was kept for backward-compatibility with pre-1.0 versions.

Links:
- Milestone: 3.0.0
- Diff: 2.3.0...3.0.0-rc1
- Client release: 3.0.0-rc1
- engine.io version: ~4.0.0 (diff: socketio/engine.io@3.4.0...4.0.0)
- ws version: ^7.1.2
2.3.0 - 2019-09-20
This release mainly contains a bump of the engine.io and ws packages, but no additional features.

Links:
- Milestone: 2.3.0
- Diff: 2.2.0...2.3.0
- Client release: 2.3.0
- engine.io version: ~3.4.0 (diff: socketio/engine.io@3.3.1...3.4.2)
- ws version: ^7.1.2 (diff: websockets/ws@6.1.2...7.3.1)
2.2.0 - 2018-11-28
2.1.1 - 2018-05-17
2.1.0 - 2018-03-29
2.0.4 - 2017-10-22
2.0.3 - 2017-06-12
2.0.2 - 2017-06-01
2.0.1 - 2017-05-08
2.0.0 - 2017-05-08
1.7.4 - 2017-05-07
1.7.3 - 2017-02-17
1.7.2 - 2016-12-11
1.7.1 - 2016-11-27
1.7.0 - 2016-11-27
1.6.0 - 2016-11-20
1.5.1 - 2016-10-24
1.5.0 - 2016-10-06
1.4.8 - 2016-06-24
1.4.7 - 2016-06-24
1.4.6 - 2016-05-03
1.4.5 - 2016-01-26
1.4.4 - 2016-01-11
1.4.3 - 2016-01-08
1.4.2 - 2016-01-08
1.4.1 - 2016-01-07
1.4.0 - 2016-01-05
1.3.7 - 2015-09-21

from socket.io GitHub release notes

Commit messages

Package name: socket.io

06a2bd3 chore(release): 3.0.3
85ebd35 chore: cleanup dist folder before compilation
9b6f971 chore(release): 3.0.2
43705d7 fix: merge Engine.IO options
118cc68 chore: add 3rd party types in the list of dependencies
c596e54 docs(examples): update React Native example
f7e0009 docs(examples): update TypeScript example
e69d0ad chore: bump socket.io-client version
0317a07 chore(release): 3.0.1
d00c0c0 docs(examples): update examples to Socket.IO v3
f62f180 fix: export ServerOptions and Namespace types (#3684)
50671d9 fix(typings): update the signature of the emit method
8a69f15 chore: restore package-lock.json file
1af3267 chore(release): 3.0.0
02951c4 chore(release): 3.0.0-rc4
54bf4a4 feat: emit an Error object upon middleware error
aa7574f feat: serve msgpack bundle
64056d6 docs(examples): update TypeScript example
cacad70 chore(release): 3.0.0-rc3
d16c035 refactor: rename ERROR to CONNECT_ERROR
5c73733 feat: add support for catch-all listeners
129c641 feat: make Socket#join() and Socket#leave() synchronous
0d74f29 refactor(typings): export Socket class
7603da7 feat: remove prod dependency to socket.io-client

Compare

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

👩‍💻 Set who automatically gets assigned

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Snyk has created this PR to upgrade socket.io from 1.3.7 to 3.0.3. See this package in npm: https://www.npmjs.com/package/socket.io See this project in Snyk: https://app.snyk.io/org/deepcode/project/2602bd95-c9ab-426a-8fe0-cfc745699867?utm_source=github&utm_medium=upgrade-pr

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Snyk] Upgrade socket.io from 1.3.7 to 3.0.3 #1

[Snyk] Upgrade socket.io from 1.3.7 to 3.0.3 #1

Uh oh!

snyk-bot commented Dec 10, 2020

Links:

Bug Fixes

Links:

Bug Fixes

Links:

Bug Fixes

Features

BREAKING CHANGES

Links:

Features

Links:

Features

BREAKING CHANGES

Links:

Bug Fixes

Code Refactoring

Features

BREAKING CHANGES

Links:

Features

BREAKING CHANGES

Links:

Links:

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

[Snyk] Upgrade socket.io from 1.3.7 to 3.0.3 #1

Are you sure you want to change the base?

[Snyk] Upgrade socket.io from 1.3.7 to 3.0.3 #1

Uh oh!

Conversation

snyk-bot commented Dec 10, 2020

Snyk has created this PR to upgrade socket.io from 1.3.7 to 3.0.3.

Links:

Bug Fixes

Links:

Bug Fixes

Links:

Bug Fixes

Features

BREAKING CHANGES

Links:

Features

Links:

Features

BREAKING CHANGES

Links:

Bug Fixes

Code Refactoring

Features

BREAKING CHANGES

Links:

Features

BREAKING CHANGES

Links:

Links:

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants