fix(deps): update dependency socket.io-parser to v4.2.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
socket.io-parser	4.0.5 -> 4.2.3

GitHub Vulnerability Alerts

CVE-2023-32695

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

TypeError: Cannot convert object to primitive value
       at Socket.emit (node:events:507:25)
       at .../node_modules/socket.io/lib/socket.js:531:14

Patches

A fix has been released today (2023/05/22):

• socketio/socket.io-parser@3b78117, included in [email protected]
• socketio/socket.io-parser@2dc3c92, included in [email protected]

Another fix has been released for the 3.3.x branch:

• socketio/socket.io-parser@ee00660, included in `[email protected]

socket.io version	socket.io-parser version	Needs minor update?
4.5.2...latest	~4.2.0 (ref)	npm audit fix should be sufficient
4.1.3...4.5.1	~4.1.1 (ref)	Please upgrade to [email protected]
3.0.5...4.1.2	~4.0.3 (ref)	Please upgrade to [email protected]
3.0.0...3.0.4	~4.0.1 (ref)	Please upgrade to [email protected]
2.3.0...2.5.0	~3.4.0 (ref)	npm audit fix should be sufficient

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

• Open a discussion here

Thanks to @​rafax00 for the responsible disclosure.

---

Release Notes

Automattic/socket.io-parser (socket.io-parser)

v4.2.3

Compare Source

⚠️ This release contains an important security fix ⚠️

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

TypeError: Cannot convert object to primitive value
       at Socket.emit (node:events:507:25)
       at .../node_modules/socket.io/lib/socket.js:531:14

Please upgrade as soon as possible.

Bug Fixes

• check the format of the event name (3b78117)

Links

• Diff: socketio/socket.io-parser@4.2.2...4.2.3

v4.2.2

Compare Source

Bug Fixes

• calling destroy() should clear all internal state (22c42e3)
• do not modify the input packet upon encoding (ae8dd88)

Links

• Diff: socketio/socket.io-parser@4.2.1...4.2.2

v4.2.1

Compare Source

Bug Fixes

• check the format of the index of each attachment (b5d0cb7)

Links

• Diff: socketio/socket.io-parser@4.2.0...4.2.1

v4.2.0

Compare Source

Features

• allow the usage of custom replacer and reviver (#​112) (b08bc1a)

Links

• Diff: socketio/socket.io-parser@4.1.2...4.2.0

v4.1.2

Compare Source

Bug Fixes

• allow objects with a null prototype in binary packets (#​114) (7f6b262)

Links

• Diff: socketio/socket.io-parser@4.1.1...4.1.2

v4.1.1

Compare Source

Links

• Diff: socketio/socket.io-parser@4.1.0...4.1.1

v4.1.0

Compare Source

Features

• provide an ESM build with and without debug (388c616)

Links

• Diff: socketio/socket.io-parser@4.0.4...4.1.0

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

---

Note

Upgrade socket.io-parser to 4.2.3 across workspace and refresh lockfile with updated transitive deps.

• Dependencies:
  • Bump socket.io-parser from 4.0.5 to 4.2.3 in root resolutions and packages/socket/package.json.
• Lockfile:
  • Update yarn.lock to [email protected] and add @socket.io/component-emitter@~3.1.0 (replacing component-emitter in that path).

^{Written by Cursor Bugbot for commit 84dbae0. This will update automatically on new commits. Configure here.}

[cypress-app-bot]

See the guidelines for reviewing dependency updates for info on how to review dependency update PRs.