[dist] Update dependency engine.io to 3.6.1 [SECURITY] - abandoned

[renovate]

This PR contains the following updates:

Package	Change
engine.io	3.3.2 -> 3.6.1

GitHub Vulnerability Alerts

CVE-2020-36048

Engine.IO before 4.0.0 and 3.6.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.

CVE-2022-41940

Impact

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

events.js:292
      throw er; // Unhandled 'error' event
      ^

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.

Patches

A fix has been released today (2022/11/20):

Version range	Fixed version
[email protected]	3.6.1
[email protected]	6.2.1

For socket.io users:

Version range	engine.io version	Needs minor update?
[email protected]	~6.2.0	npm audit fix should be sufficient
[email protected]	~6.1.0	Please upgrade to [email protected]
[email protected]	~6.0.0	Please upgrade to [email protected]
[email protected]	~5.2.0	Please upgrade to [email protected]
[email protected]	~5.1.1	Please upgrade to [email protected]
[email protected]	~5.0.0	Please upgrade to [email protected]
[email protected]	~4.1.0	Please upgrade to [email protected] (see here)
[email protected]	~4.0.0	Please upgrade to [email protected] (see here)
[email protected]	~3.6.0	npm audit fix should be sufficient
[email protected] and below	~3.5.0	Please upgrade to [email protected]

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

• Open an issue in engine.io

Thanks to Jonathan Neve for the responsible disclosure.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.