Bump socket.io-parser from 4.2.4 to 4.2.6#101
Conversation
Bumps [socket.io-parser](https://github.com/socketio/socket.io) from 4.2.4 to 4.2.6. - [Release notes](https://github.com/socketio/socket.io/releases) - [Changelog](https://github.com/socketio/socket.io/blob/main/CHANGELOG.md) - [Commits](https://github.com/socketio/socket.io/compare/socket.io-parser@4.2.4...socket.io-parser@4.2.6) --- updated-dependencies: - dependency-name: socket.io-parser dependency-version: 4.2.6 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
| "version": "3.0.2", | ||
| "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-3.0.2.tgz", | ||
| "integrity": "sha1-mGbfOVECEw449/mWvOtlRDIJwls=", | ||
| "dev": true | ||
| }, | ||
| "js-yaml": { | ||
| "node_modules/js-yaml": { |
There was a problem hiding this comment.
Medium severity vulnerability may affect your project—review required:
Line 3692 lists a dependency (js-yaml) with a known Medium severity vulnerability.
ℹ️ Why this matters
Affected versions of js-yaml are vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). js-yaml is vulnerable to prototype pollution through its YAML merge key (<<) handling. When parsing untrusted YAML with load, loadAll, safeLoad, or safeLoadAll, a crafted document containing a __proto__ key inside a merged mapping can modify the prototype of the resulting object, leading to integrity violations in the application.
To resolve this comment:
Check if you are using js-yaml on the CLI.
- If you're affected, upgrade this dependency to at least version 3.14.2 at package-lock.json.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| }, | ||
| "jsonwebtoken": { | ||
| "node_modules/jsonwebtoken": { |
There was a problem hiding this comment.
Medium severity vulnerability may affect your project—review required:
Line 3733 lists a dependency (jsonwebtoken) with a known Medium severity vulnerability.
ℹ️ Why this matters
Affected versions of jsonwebtoken are vulnerable to Improper Authentication. Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC.
To resolve this comment:
Check if you are using a poorly implemented key retrieval function and your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function..
- If you're affected, upgrade this dependency to at least version 9.0.0 at package-lock.json.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| "version": "1.0.0", | ||
| "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", | ||
| "integrity": "sha1-FQStJSMVjKpA20onh8sBQRmU6k8=", | ||
| "dev": true | ||
| }, | ||
| "fsevents": { | ||
| "node_modules/fsevents": { |
There was a problem hiding this comment.
👿 Malicious dependency detected—remove immediately
The version 1.1.3 of fsevents contains malicious code and is a critical security risk. Upgrade
to 1.2.11 to resolve this issue.
ℹ️ Why this matters
This specific version of fsevents contains malicious code. Upgrade to the safe version immediately.
References: https://osv.dev/vulnerability/MAL-2023-462
To resolve this comment:
Upgrade this dependency to at least version 1.2.11 at package-lock.json.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| "version": "3.1.2", | ||
| "resolved": "https://registry.npmjs.org/@socket.io/component-emitter/-/component-emitter-3.1.2.tgz", | ||
| "integrity": "sha512-9BCxFwvbGg/RsZK9tjXd8s4UcwR0MWeFQ1XEKIQVVvAGJyINdrqKMcTRyLoK8Rse1GjzLV9cwjWV1olXRWEXVA==" | ||
| }, | ||
| "acorn": { | ||
| "node_modules/acorn": { |
There was a problem hiding this comment.
High severity vulnerability may affect your project—review required:
Line 43 lists a dependency (acorn) with a known High severity vulnerability.
ℹ️ Why this matters
Affected versions of acorn are vulnerable to Uncontrolled Resource Consumption. A regular-expression denial-of-service exists in Acorn's RegExp parser: a pattern like /[x-\ud800]/u (an invalid UTF-16 range) causes the parser to spin in an infinite loop. If an application feeds untrusted code directly into Acorn, an attacker can supply such a regex to trigger a CPU-hogging infinite loop and achieve Denial of Service.
References: GHSA
To resolve this comment:
Check if you are using acorn on the CLI.
- If you're affected, upgrade this dependency to at least version 5.7.4 at package-lock.json.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| } | ||
| }, | ||
| "tree-kill": { | ||
| "node_modules/tree-kill": { |
There was a problem hiding this comment.
High severity vulnerability may affect your project—review required:
Line 5314 lists a dependency (tree-kill) with a known High severity vulnerability.
ℹ️ Why this matters
Affected versions of tree-kill are vulnerable to Improper Control of Generation of Code ('Code Injection'). The tree-kill package is vulnerable to command injection on Windows. An attacker can control the unsanitized input passed to the kill function, potentially leading to arbitrary command execution on the host system.
To resolve this comment:
Check if you are using tree-kill Command Line Interface in Windows System.
- If you're affected, upgrade this dependency to at least version 1.2.2 at package-lock.json.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| }, | ||
| "jsonwebtoken": { | ||
| "node_modules/jsonwebtoken": { |
There was a problem hiding this comment.
High severity vulnerability may affect your project—review required:
Line 3733 lists a dependency (jsonwebtoken) with a known High severity vulnerability.
ℹ️ Why this matters
Affected versions of jsonwebtoken are vulnerable to Use Of A Broken Or Risky Cryptographic Algorithm. The library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm.
To resolve this comment:
Check if you are using a legacy, insecure key type with a supported algorithm; for example, DSA keys could be used with the RS256 algorithm.
- If you're affected, upgrade this dependency to at least version 9.0.0 at package-lock.json.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| "ms": "2.0.0" | ||
| } | ||
| }, | ||
| "node_modules/fsevents/node_modules/deep-extend": { |
There was a problem hiding this comment.
Critical severity vulnerability introduced by a package you're using:
Line 2096 lists a dependency (deep-extend) with a known Critical severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
Affected version of deep-extend is vulnerable to Prototype Pollution. Malicious input passed to deep-extend allows an attacker to overwrite the prototype of Object, polluting all JavaScript objects with arbitrary properties. This can lead to Denial of Service or even Remote Code Execution.
To resolve this comment:
Upgrade this dependency to at least version 0.5.1 at package-lock.json.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
Bumps socket.io-parser from 4.2.4 to 4.2.6.
Release notes
Sourced from socket.io-parser's releases.
Commits
522edcdchore(release): socket.io-parser@4.2.63fff7cafix(parser): add a limit to the number of binary attachments37aad11fix: cleanup pending acks on timeout to prevent memory leakba9cd69revert: fix: cleanup pending acks on timeout to prevent memory leak84c2fb7chore(release): engine.io@6.6.607cbe15fix(eio): add@types/wsas dependency (#5458)44ed73ffix(eio): emit initial_headers and headers events in uServer (#5460)da04267fix: cleanup pending acks on timeout to prevent memory leak (#5442)74599a6fix(types): properly import http moduled48718cci: use actions/checkout@v6 and actions/setup-node@v6 (#5449)Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for socket.io-parser since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.