Skip to content

Bump socket.io-parser from 4.2.4 to 4.2.6#101

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/socket.io-parser-4.2.6
Open

Bump socket.io-parser from 4.2.4 to 4.2.6#101
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/socket.io-parser-4.2.6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 3, 2026

Copy link
Copy Markdown

Bumps socket.io-parser from 4.2.4 to 4.2.6.

Release notes

Sourced from socket.io-parser's releases.

socket.io-parser@4.2.6

This release includes a fix for CVE-2026-33151. Please upgrade as soon as possible.

Bug Fixes

  • add a limit to the number of binary attachments (b25738c)

socket.io-parser@4.2.5

This release contains a bump of debug from ~4.3.1 to ~4.4.1.

Commits
  • 522edcd chore(release): socket.io-parser@4.2.6
  • 3fff7ca fix(parser): add a limit to the number of binary attachments
  • 37aad11 fix: cleanup pending acks on timeout to prevent memory leak
  • ba9cd69 revert: fix: cleanup pending acks on timeout to prevent memory leak
  • 84c2fb7 chore(release): engine.io@6.6.6
  • 07cbe15 fix(eio): add @​types/ws as dependency (#5458)
  • 44ed73f fix(eio): emit initial_headers and headers events in uServer (#5460)
  • da04267 fix: cleanup pending acks on timeout to prevent memory leak (#5442)
  • 74599a6 fix(types): properly import http module
  • d48718c ci: use actions/checkout@v6 and actions/setup-node@v6 (#5449)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for socket.io-parser since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [socket.io-parser](https://github.com/socketio/socket.io) from 4.2.4 to 4.2.6.
- [Release notes](https://github.com/socketio/socket.io/releases)
- [Changelog](https://github.com/socketio/socket.io/blob/main/CHANGELOG.md)
- [Commits](https://github.com/socketio/socket.io/compare/socket.io-parser@4.2.4...socket.io-parser@4.2.6)

---
updated-dependencies:
- dependency-name: socket.io-parser
  dependency-version: 4.2.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 3, 2026
Comment thread package-lock.json
"version": "3.0.2",
"resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-3.0.2.tgz",
"integrity": "sha1-mGbfOVECEw449/mWvOtlRDIJwls=",
"dev": true
},
"js-yaml": {
"node_modules/js-yaml": {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium severity vulnerability may affect your project—review required:
Line 3692 lists a dependency (js-yaml) with a known Medium severity vulnerability.

ℹ️ Why this matters

Affected versions of js-yaml are vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). js-yaml is vulnerable to prototype pollution through its YAML merge key (<<) handling. When parsing untrusted YAML with load, loadAll, safeLoad, or safeLoadAll, a crafted document containing a __proto__ key inside a merged mapping can modify the prototype of the resulting object, leading to integrity violations in the application.

References: GHSA, CVE

To resolve this comment:
Check if you are using js-yaml on the CLI.

  • If you're affected, upgrade this dependency to at least version 3.14.2 at package-lock.json.
  • If you're not affected, comment /fp we don't use this [condition]
💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Comment thread package-lock.json
},
"jsonwebtoken": {
"node_modules/jsonwebtoken": {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium severity vulnerability may affect your project—review required:
Line 3733 lists a dependency (jsonwebtoken) with a known Medium severity vulnerability.

ℹ️ Why this matters

Affected versions of jsonwebtoken are vulnerable to Improper Authentication. Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC.

References: GHSA, CVE

To resolve this comment:
Check if you are using a poorly implemented key retrieval function and your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function..

  • If you're affected, upgrade this dependency to at least version 9.0.0 at package-lock.json.
  • If you're not affected, comment /fp we don't use this [condition]
💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Comment thread package-lock.json
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz",
"integrity": "sha1-FQStJSMVjKpA20onh8sBQRmU6k8=",
"dev": true
},
"fsevents": {
"node_modules/fsevents": {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👿 Malicious dependency detected—remove immediately

The version 1.1.3 of fsevents contains malicious code and is a critical security risk. Upgrade
to 1.2.11 to resolve this issue.

ℹ️ Why this matters

This specific version of fsevents contains malicious code. Upgrade to the safe version immediately.

References: https://osv.dev/vulnerability/MAL-2023-462

To resolve this comment:
Upgrade this dependency to at least version 1.2.11 at package-lock.json.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Comment thread package-lock.json
"version": "3.1.2",
"resolved": "https://registry.npmjs.org/@socket.io/component-emitter/-/component-emitter-3.1.2.tgz",
"integrity": "sha512-9BCxFwvbGg/RsZK9tjXd8s4UcwR0MWeFQ1XEKIQVVvAGJyINdrqKMcTRyLoK8Rse1GjzLV9cwjWV1olXRWEXVA=="
},
"acorn": {
"node_modules/acorn": {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity vulnerability may affect your project—review required:
Line 43 lists a dependency (acorn) with a known High severity vulnerability.

ℹ️ Why this matters

Affected versions of acorn are vulnerable to Uncontrolled Resource Consumption. A regular-expression denial-of-service exists in Acorn's RegExp parser: a pattern like /[x-\ud800]/u (an invalid UTF-16 range) causes the parser to spin in an infinite loop. If an application feeds untrusted code directly into Acorn, an attacker can supply such a regex to trigger a CPU-hogging infinite loop and achieve Denial of Service.

References: GHSA

To resolve this comment:
Check if you are using acorn on the CLI.

  • If you're affected, upgrade this dependency to at least version 5.7.4 at package-lock.json.
  • If you're not affected, comment /fp we don't use this [condition]
💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Comment thread package-lock.json
}
},
"tree-kill": {
"node_modules/tree-kill": {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity vulnerability may affect your project—review required:
Line 5314 lists a dependency (tree-kill) with a known High severity vulnerability.

ℹ️ Why this matters

Affected versions of tree-kill are vulnerable to Improper Control of Generation of Code ('Code Injection'). The tree-kill package is vulnerable to command injection on Windows. An attacker can control the unsanitized input passed to the kill function, potentially leading to arbitrary command execution on the host system.

References: GHSA, CVE

To resolve this comment:
Check if you are using tree-kill Command Line Interface in Windows System.

  • If you're affected, upgrade this dependency to at least version 1.2.2 at package-lock.json.
  • If you're not affected, comment /fp we don't use this [condition]
💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Comment thread package-lock.json
},
"jsonwebtoken": {
"node_modules/jsonwebtoken": {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity vulnerability may affect your project—review required:
Line 3733 lists a dependency (jsonwebtoken) with a known High severity vulnerability.

ℹ️ Why this matters

Affected versions of jsonwebtoken are vulnerable to Use Of A Broken Or Risky Cryptographic Algorithm. The library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm.

References: GHSA, CVE

To resolve this comment:
Check if you are using a legacy, insecure key type with a supported algorithm; for example, DSA keys could be used with the RS256 algorithm.

  • If you're affected, upgrade this dependency to at least version 9.0.0 at package-lock.json.
  • If you're not affected, comment /fp we don't use this [condition]
💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Comment thread package-lock.json
"ms": "2.0.0"
}
},
"node_modules/fsevents/node_modules/deep-extend": {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical severity vulnerability introduced by a package you're using:
Line 2096 lists a dependency (deep-extend) with a known Critical severity vulnerability. Fixing requires upgrading or replacing the dependency.

ℹ️ Why this matters

Affected version of deep-extend is vulnerable to Prototype Pollution. Malicious input passed to deep-extend allows an attacker to overwrite the prototype of Object, polluting all JavaScript objects with arbitrary properties. This can lead to Denial of Service or even Remote Code Execution.

References: GHSA, CVE

To resolve this comment:
Upgrade this dependency to at least version 0.5.1 at package-lock.json.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants