[dist] Update dependency socket.io to v2.5.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
socket.io (source)	2.2.0 -> 2.5.1
socket.io (source)	~0.9.16 -> ~2.5.1

GitHub Vulnerability Alerts

CVE-2020-28481

The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.

CVE-2024-38355

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

node:events:502
    throw err; // Unhandled 'error' event
    ^

Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
    at new NodeError (node:internal/errors:405:5)
    at Socket.emit (node:events:500:17)
    at /myapp/node_modules/socket.io/lib/socket.js:531:14
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
  code: 'ERR_UNHANDLED_ERROR',
  context: undefined
}

Affected versions

Version range	Needs minor update?
4.6.2...latest	Nothing to do
3.0.0...4.6.1	Please upgrade to [email protected] (at least)
2.3.0...2.5.0	Please upgrade to [email protected]

Patches

This issue is fixed by socketio/socket.io@15af22f, included in [email protected] (released in May 2023).

The fix was backported in the 2.x branch today: socketio/socket.io@d30630b

Workarounds

As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:

io.on("connection", (socket) => {
  socket.on("error", () => {
    // ...
  });
});

For more information

If you have any questions or comments about this advisory:

• Open a discussion here

Thanks a lot to Paul Taylor for the responsible disclosure.

References

• socketio/socket.io@15af22f
• socketio/socket.io@d30630b

---

Release Notes

socketio/socket.io (socket.io)

v2.5.1

Compare Source

Bug Fixes

• add a noop handler for the error event (d30630b)

Links:

• Diff: socketio/socket.io@2.5.0...2.5.1
• Client release: -
• engine.io version: ~3.6.0 (no change)
• ws version: ~7.5.10

v2.5.0

Compare Source

⚠️ WARNING ⚠️

The default value of the maxHttpBufferSize option has been decreased from 100 MB to 1 MB, in order to prevent attacks by denial of service.

Security advisory: GHSA-j4f2-536g-r55m

Bug Fixes

• fix race condition in dynamic namespaces (05e1278)
• ignore packet received after disconnection (22d4bdf)
• only set 'connected' to true after middleware execution (226cc16)
• prevent the socket from joining a room after disconnection (f223178)

Links:

• Diff: socketio/socket.io@2.4.1...2.5.0
• Client release: 2.5.0
• engine.io version: ~3.6.0 (diff)
• ws version: ~7.4.2

v2.4.1

Compare Source

This release reverts the breaking change introduced in 2.4.0 (socketio/socket.io@f78a575).

If you are using Socket.IO v2, you should explicitly allow/disallow cross-origin requests:

• without CORS (server and client are served from the same domain):

const io = require("socket.io")(httpServer, {
  allowRequest: (req, callback) => {
    callback(null, req.headers.origin === undefined); // cross-origin requests will not be allowed
  }
});

• with CORS (server and client are served from distinct domains):

io.origins(["http://localhost:3000"]); // for local development
io.origins(["https://example.com"]);

In any case, please consider upgrading to Socket.IO v3, where this security issue is now fixed (CORS is disabled by default).

Reverts

• fix(security): do not allow all origins by default (a169050)

Links:

• Diff: socketio/socket.io@2.4.0...2.4.1
• Client release: -
• engine.io version: ~3.5.0
• ws version: ~7.4.2

v2.4.0

Compare Source

Related blog post: https://socket.io/blog/socket-io-2-4-0/

Features (from Engine.IO)

• add support for all cookie options (19cc582)
• disable perMessageDeflate by default (5ad2736)

Bug Fixes

• security: do not allow all origins by default (f78a575)
• properly overwrite the query sent in the handshake (d33a619)

⚠️ BREAKING CHANGE ⚠️

Previously, CORS was enabled by default, which meant that a Socket.IO server sent the necessary CORS headers (Access-Control-Allow-xxx) to any domain. This will not be the case anymore, and you now have to explicitly enable it.

Please note that you are not impacted if:

• you are using Socket.IO v2 and the origins option to restrict the list of allowed domains
• you are using Socket.IO v3 (disabled by default)

This commit also removes the support for '*' matchers and protocol-less URL:

io.origins('https://example.com:443'); => io.origins(['https://example.com']);
io.origins('localhost:3000');          => io.origins(['http://localhost:3000']);
io.origins('http://localhost:*');      => io.origins(['http://localhost:3000']);
io.origins('*:3000');                  => io.origins(['http://localhost:3000']);

To restore the previous behavior (please use with caution):

io.origins((_, callback) => {
  callback(null, true);
});

See also:

• https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
• https://socket.io/docs/v3/handling-cors/
• https://socket.io/docs/v3/migrating-from-2-x-to-3-0/#CORS-handling

Thanks a lot to @​ni8walk3r for the security report.

Links:

• Milestone: 2.4.0
• Diff: socketio/socket.io@2.3.0...2.4.0
• Client release: 2.4.0
• engine.io version: ~3.5.0
• ws version: ~7.4.2

v2.3.0

Compare Source

This release mainly contains a bump of the engine.io and ws packages, but no additional features.

Links:

• Milestone: 2.3.0
• Diff: socketio/socket.io@2.2.0...2.3.0
• Client release: 2.3.0
• engine.io version: ~3.4.0 (diff: socketio/engine.io@3.3.1...3.4.2)
• ws version: ^7.1.2 (diff: websockets/ws@6.1.2...7.3.1)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov-io]

Codecov Report

Merging #1501 (246460b) into master (9b96cd7) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master    #1501   +/-   ##
=======================================
  Coverage   92.38%   92.38%           
=======================================
  Files           6        6           
  Lines         315      315           
=======================================
  Hits          291      291           
  Misses         24       24           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9b96cd7...246460b. Read the comment docs.