chore(deps): update socket.io/client to get downstream security patches #628
+227
−113
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jakemhiller
commented
Mar 24, 2025
| @@ -42,7 +42,7 @@ export default class TransportImplSocketIO extends TransportImplBase { | |||
| this.socket = io(this.snackpubURL, { transports: ['websocket'] }); | |||
|
|
|||
| this.socket.on('connect', () => { | |||
| this.socket?.emit('subscribeChannel', { channel: this.channel, sender: this.socket?.id }); | |||
| this.socket?.emit('subscribeChannel', { channel: this.channel, sender: this.socket?.id! }); | |||
There was a problem hiding this comment.
Happy to change these to type guards if that is the preference in this situation.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why
[email protected](link) introduced an updated version ofengine.io-client(link) that includes the updatedwsversion that fixes this vulnerability CVE-2024-37890I haven't looked into whether the vulnerability affects this package, but because of the semver used in the
socket.iopackages, and in these packages, the vulnerable package wasn't able to be updated in our repo that usessnack-sdk.How
I updated to the latest patch version of
socket.io-clientthat included thewsfix. I had to make two minor TypeScript type changes but otherwise the changes insocket.io-clientseemed non-breaking (api additions and bug fixes).Test Plan
I see that the socket transport is mocked in the jest tests. Is there another way an update like this should be tested?