Update dependency socket.io to v3 - autoclosed

[mend-for-github-com]

This PR contains the following updates:

Package	Type	Update	Change
socket.io	dependencies	major	^2.1.0 -> ^3.0.0

By merging this PR, the below vulnerabilities will be automatically resolved:

	Severity	CVSS Score	CVE
	High	7.5	CVE-2020-36048

---

Release Notes

socketio/socket.io

v3.0.0

Compare Source

Bug Fixes

• close clients with no namespace (91cd255)

Features

• emit an Error object upon middleware error (54bf4a4)
• serve msgpack bundle (aa7574f)
• add support for catch-all listeners (5c73733)
• make Socket#join() and Socket#leave() synchronous (129c641)
• remove prod dependency to socket.io-client (7603da7)
• move binary detection back to the parser (669592d)
• add ES6 module export (8b6b100)
• do not reuse the Engine.IO id (2875d2c)
• remove Server#set() method (029f478)
• remove Socket#rooms object (1507b41)
• remove the 'origins' option (a8c0600)
• remove the implicit connection to the default namespace (3289f7e)
• throw upon reserved event names (4bd5b23)

BREAKING CHANGES

• the Socket#use() method is removed (see 5c73733)

• Socket#join() and Socket#leave() do not accept a callback argument anymore.

Before:

socket.join("room1", () => {
 io.to("room1").emit("hello");
});

After:

socket.join("room1");
io.to("room1").emit("hello");
// or await socket.join("room1"); for custom adapters

• the "connected" map is renamed to "sockets"
• the Socket#binary() method is removed, as this use case is now covered by the ability to provide your own parser.
• the 'origins' option is removed

Before:

new Server(3000, {
  origins: ["https://example.com"]
});

The 'origins' option was used in the allowRequest method, in order to
determine whether the request should pass or not. And the Engine.IO
server would implicitly add the necessary Access-Control-Allow-xxx
headers.

After:

new Server(3000, {
  cors: {
    origin: "https://example.com",
    methods: ["GET", "POST"],
    allowedHeaders: ["content-type"]
  }
});

The already existing 'allowRequest' option can be used for validation:

new Server(3000, {
  allowRequest: (req, callback) => {
    callback(null, req.headers.referer.startsWith("https://example.com"));
  }
});

• Socket#rooms is now a Set instead of an object

• Namespace#connected is now a Map instead of an object

• there is no more implicit connection to the default namespace:

// client-side
const socket = io("/admin");

// server-side
io.on("connect", socket => {
  // not triggered anymore
})

io.use((socket, next) => {
  // not triggered anymore
});

io.of("/admin").use((socket, next) => {
  // triggered
});

• the Server#set() method was removed

This method was kept for backward-compatibility with pre-1.0 versions.

v2.4.1

Compare Source

This release reverts the breaking change introduced in 2.4.0 (socketio/socket.io@f78a575).

If you are using Socket.IO v2, you should explicitly allow/disallow cross-origin requests:

• without CORS (server and client are served from the same domain):

const io = require("socket.io")(httpServer, {
  allowRequest: (req, callback) => {
    callback(null, req.headers.origin === undefined); // cross-origin requests will not be allowed
  }
});

• with CORS (server and client are served from distinct domains):

io.origins(["http://localhost:3000"]); // for local development
io.origins(["https://example.com"]);

In any case, please consider upgrading to Socket.IO v3, where this security issue is now fixed (CORS is disabled by default).

Reverts

• fix(security): do not allow all origins by default (a169050)

Links:

• Diff: socketio/socket.io@2.4.0...2.4.1
• Client release: -
• engine.io version: ~3.5.0
• ws version: ~7.4.2

v2.4.0

Compare Source

Related blog post: https://socket.io/blog/socket-io-2-4-0/

Features (from Engine.IO)

• add support for all cookie options (19cc582)
• disable perMessageDeflate by default (5ad2736)

Bug Fixes

• security: do not allow all origins by default (f78a575)
• properly overwrite the query sent in the handshake (d33a619)

⚠️ BREAKING CHANGE ⚠️

Previously, CORS was enabled by default, which meant that a Socket.IO server sent the necessary CORS headers (Access-Control-Allow-xxx) to any domain. This will not be the case anymore, and you now have to explicitly enable it.

Please note that you are not impacted if:

• you are using Socket.IO v2 and the origins option to restrict the list of allowed domains
• you are using Socket.IO v3 (disabled by default)

This commit also removes the support for '*' matchers and protocol-less URL:

io.origins('https://example.com:443'); => io.origins(['https://example.com']);
io.origins('localhost:3000');          => io.origins(['http://localhost:3000']);
io.origins('http://localhost:*');      => io.origins(['http://localhost:3000']);
io.origins('*:3000');                  => io.origins(['http://localhost:3000']);

To restore the previous behavior (please use with caution):

io.origins((_, callback) => {
  callback(null, true);
});

See also:

• https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
• https://socket.io/docs/v3/handling-cors/
• https://socket.io/docs/v3/migrating-from-2-x-to-3-0/#CORS-handling

Thanks a lot to @​ni8walk3r for the security report.

Links:

• Milestone: 2.4.0
• Diff: socketio/socket.io@2.3.0...2.4.0
• Client release: 2.4.0
• engine.io version: ~3.5.0
• ws version: ~7.4.2

v2.3.0

Compare Source

This release mainly contains a bump of the engine.io and ws packages, but no additional features.

Links:

• Milestone: 2.3.0
• Diff: socketio/socket.io@2.2.0...2.3.0
• Client release: 2.3.0
• engine.io version: ~3.4.0 (diff: socketio/engine.io@3.3.1...3.4.2)
• ws version: ^7.1.2 (diff: websockets/ws@6.1.2...7.3.1)

v2.2.0

Compare Source

Features

• add cache-control header when serving the client source (#​2907)

Bug fixes

• throw an error when trying to access the clients of a dynamic namespace (#​3355)

Links

• Milestone: 2.2.0
• Diff: socketio/socket.io@2.1.1...2.2.0
• Client release: 2.2.0
• engine.io version: ~3.3.1 (diff: socketio/engine.io@3.2.0...3.3.1)
• ws version: ~6.1.0 (diff: websockets/ws@3.3.1...6.1.2)

v2.1.1

Compare Source

Features

• add local flag to the socket object (add local flag to the socket object socketio/socket.io#3219)

socket.local.to('room101').emit(/* */);

Bug fixes

(client) fire an error event on middleware failure for non-root namespace (socketio/socket.io-client#1202)

Links:

• Milestone: 2.1.1
• Diff: socketio/socket.io@2.1.0...2.1.1
• Client release: 2.1.1
• engine.io version: ~3.2.0
• ws version: ~3.3.1

---

• If you want to rebase/retry this PR, click this checkbox.