Update dependency socket.io to ~2.5.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
socket.io	~2.0.0 -> ~2.5.0

GitHub Vulnerability Alerts

CVE-2020-28481

The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.

---

Release Notes

socketio/socket.io

v2.5.0

Compare Source

⚠️ WARNING ⚠️

The default value of the maxHttpBufferSize option has been decreased from 100 MB to 1 MB, in order to prevent attacks by denial of service.

Security advisory: GHSA-j4f2-536g-r55m

Bug Fixes

• fix race condition in dynamic namespaces (05e1278)
• ignore packet received after disconnection (22d4bdf)
• only set 'connected' to true after middleware execution (226cc16)
• prevent the socket from joining a room after disconnection (f223178)

Links:

• Diff: socketio/socket.io@2.4.1...2.5.0
• Client release: 2.5.0
• engine.io version: ~3.6.0 (diff)
• ws version: ~7.4.2

v2.4.1

Compare Source

This release reverts the breaking change introduced in 2.4.0 (socketio/socket.io@f78a575).

If you are using Socket.IO v2, you should explicitly allow/disallow cross-origin requests:

• without CORS (server and client are served from the same domain):

const io = require("socket.io")(httpServer, {
  allowRequest: (req, callback) => {
    callback(null, req.headers.origin === undefined); // cross-origin requests will not be allowed
  }
});

• with CORS (server and client are served from distinct domains):

io.origins(["http://localhost:3000"]); // for local development
io.origins(["https://example.com"]);

In any case, please consider upgrading to Socket.IO v3, where this security issue is now fixed (CORS is disabled by default).

Reverts

• fix(security): do not allow all origins by default (a169050)

Links:

• Diff: socketio/socket.io@2.4.0...2.4.1
• Client release: -
• engine.io version: ~3.5.0
• ws version: ~7.4.2

v2.4.0

Compare Source

Related blog post: https://socket.io/blog/socket-io-2-4-0/

Features (from Engine.IO)

• add support for all cookie options (19cc582)
• disable perMessageDeflate by default (5ad2736)

Bug Fixes

• security: do not allow all origins by default (f78a575)
• properly overwrite the query sent in the handshake (d33a619)

⚠️ BREAKING CHANGE ⚠️

Previously, CORS was enabled by default, which meant that a Socket.IO server sent the necessary CORS headers (Access-Control-Allow-xxx) to any domain. This will not be the case anymore, and you now have to explicitly enable it.

Please note that you are not impacted if:

• you are using Socket.IO v2 and the origins option to restrict the list of allowed domains
• you are using Socket.IO v3 (disabled by default)

This commit also removes the support for '*' matchers and protocol-less URL:

io.origins('https://example.com:443'); => io.origins(['https://example.com']);
io.origins('localhost:3000');          => io.origins(['http://localhost:3000']);
io.origins('http://localhost:*');      => io.origins(['http://localhost:3000']);
io.origins('*:3000');                  => io.origins(['http://localhost:3000']);

To restore the previous behavior (please use with caution):

io.origins((_, callback) => {
  callback(null, true);
});

See also:

• https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
• https://socket.io/docs/v3/handling-cors/
• https://socket.io/docs/v3/migrating-from-2-x-to-3-0/#CORS-handling

Thanks a lot to @​ni8walk3r for the security report.

Links:

• Milestone: 2.4.0
• Diff: socketio/socket.io@2.3.0...2.4.0
• Client release: 2.4.0
• engine.io version: ~3.5.0
• ws version: ~7.4.2

v2.3.0

Compare Source

This release mainly contains a bump of the engine.io and ws packages, but no additional features.

Links:

• Milestone: 2.3.0
• Diff: socketio/socket.io@2.2.0...2.3.0
• Client release: 2.3.0
• engine.io version: ~3.4.0 (diff: socketio/engine.io@3.3.1...3.4.2)
• ws version: ^7.1.2 (diff: websockets/ws@6.1.2...7.3.1)

v2.2.0

Compare Source

Features

• add cache-control header when serving the client source (#​2907)

Bug fixes

• throw an error when trying to access the clients of a dynamic namespace (#​3355)

Links

• Milestone: 2.2.0
• Diff: socketio/socket.io@2.1.1...2.2.0
• Client release: 2.2.0
• engine.io version: ~3.3.1 (diff: socketio/engine.io@3.2.0...3.3.1)
• ws version: ~6.1.0 (diff: websockets/ws@3.3.1...6.1.2)

v2.1.1

Compare Source

Features

• add local flag to the socket object (add local flag to the socket object socketio/socket.io#3219)

socket.local.to('room101').emit(/* */);

Bug fixes

(client) fire an error event on middleware failure for non-root namespace (socketio/socket.io-client#1202)

Links:

• Milestone: 2.1.1
• Diff: socketio/socket.io@2.1.0...2.1.1
• Client release: 2.1.1
• engine.io version: ~3.2.0
• ws version: ~3.3.1

v2.1.0

Compare Source

Features

• add a 'binary' flag (#​3185)

// by default, the object is recursively scanned to check whether it contains some binary data
// in the following example, the check is skipped in order to improve performance
socket.binary(false).emit('plain-object', object);

// it also works at the namespace level
io.binary(false).emit('plain-object', object);

• add support for dynamic namespaces (#​3195)

io.of(/^\/dynamic-\d+$/).on('connect', (socket) => {
  // socket.nsp.name = '/dynamic-101'
});

// client-side
const client = require('socket.io-client')('/dynamic-101');

Bug fixes

• properly emit 'connect' when using a custom namespace (#​3197)
• include the protocol in the origins check (#​3198)

Important note ⚠️ from Engine.IO 3.2.0 release

There are two non-breaking changes that are somehow quite important:

• ws was reverted as the default wsEngine ([chore] Revert to ws as default wsEngine socketio/engine.io#550), as there was several blocking issues with uws. You can still use uws by running npm install uws --save in your project and using the wsEngine option:

var engine = require('engine.io');
var server = engine.listen(3000, {
  wsEngine: 'uws'
});

• pingTimeout now defaults to 5 seconds (instead of 60 seconds): [chore] Update default value of pingTimeout socketio/engine.io#551

Links:

• Milestone: 2.1.0
• Diff: socketio/socket.io@2.0.4...2.1.0
• Client release: 2.1.0
• engine.io version: ~3.2.0 (diff: socketio/engine.io@3.1.0...3.2.0)
• ws version: ~3.3.1 (diff: websockets/ws@2.3.1...3.3.1)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by Mend Renovate. View repository job log here.