[Snyk] Fix for 1 vulnerabilities

[tjenkinson]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	461/1000 Why? Recently disclosed, Has a fix available, CVSS 3.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-DEBUG-3227433	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: debug

The new version differs by 197 commits.

• f073e05 Release 3.1.0
• 2c0df9b rename `DEBUG_HIDE_TTY_DATE` to `DEBUG_HIDE_DATE`
• dcb37b2 Merge branch '2.x'
• 56a3853 Add `DEBUG_HIDE_TTY_DATE` env var (Fixed typo. socketio/socket.io#486)
• 13abeae Release 2.6.9
• f53962e remove ReDoS regexp in %o formatter (npm packge.jason needs to be updated! socketio/socket.io#504)
• bdb7e01 remove "component" from package.json
• c38a016 remove ReDoS regexp in %o formatter (npm packge.jason needs to be updated! socketio/socket.io#504)
• 47747f3 remove `component.json`
• a0601e5 fix
• e7e568a ignore package-lock.json
• fdfa0f5 Fix browser detection
• 7cd9e53 examples: fix colors printout
• 8d76196 Merge pull request Can we create socket instance by using socket = new io.Socket socketio/socket.io#496 from EdwardBetts/spelling
• daf1a7c correct spelling mistake
• 3e1849d Release 3.0.1
• b3ea123 Disable colors in Edge and Internet Explorer (Object doesn't support property or method 'packet'  socketio/socket.io#489)
• 13e1d06 remove v3 discussion note for now
• 52b894c Release 3.0.0
• d2dd80a component: update "ms" to v2.0.0
• 6752953 fix browser test 😵
• f6f6213 remove `make coveralls` from travis
• f178d86 attempt to separate the Node and Browser tests in Travis
• d73c4ae fix `make test`

See the full diff

Package name: engine.io

The new version differs by 127 commits.

• b3f3590 [chore] Release 3.1.5
• 0d4e79e [chore] Bump dependencies (node crash: node: src/uv-common.c:92: uv_err_name: Assertion `0' failed. socketio/socket.io#549)
• ea318b8 [chore] Bump accepts to version 1.3.4 (Socket.io appears not to be working in Firefox 8 on Linux socketio/socket.io#548)
• d7aaf2b [docs] Update test command in README (Origin is not allowed by Access-Control-Allow-Origin. socketio/socket.io#547)
• c107ffe [chore] Bump uws to version 9.14.0 (Authorization and handshake errors socketio/socket.io#545)
• 8d0ce5f [refactor] Add some checks to prevent usage of undefined properties (Setting log: false breaks socket.io in manager.js socketio/socket.io#540)
• 1a685c0 [chore] Release 3.1.4
• b3f1d35 [chore] Bump ws to version 3.3.1 (Socket.io and non-domain-level Proxies socketio/socket.io#543)
• 3ee803a [chore] Release 3.1.3
• 49362ab [fix] Fix undefined remoteAddress when using uws (Connect to websocket.org echo service socketio/socket.io#533)
• 3c77780 [chore] Bump debug to version 2.6.9 (Fixes issue 523, and (unreported?) issue where flashsocket identifies as websocket socketio/socket.io#532)
• bf24359 [chore] Release 3.1.2
• a8ff89c [chore] Release 3.1.1
• e0d720c [fix] Check whether 'Origin' header has invalid characters (Fails on IE8/9 Cross domain. socketio/socket.io#531)
• 38d639a [fix] Use explicit require of wsEngine (TypeError: Object #<WebSocket> has no method 'payload' socketio/socket.io#523)
• f9d3f06 [docs] Fix wsEngine default value in README (Why a socket is needed for each namespaces? socketio/socket.io#526)
• fd20b91 [test] Use npm scripts instead of gulp (that's dev server with 3 connections, logs over 2-3seconds socketio/socket.io#530)
• 7f63d38 [fix] Fix undeterministic error in polling buffer processing (Fix RedisStore socketio/socket.io#529)
• 3dcc2d5 [fix] Use workaround for setEncoding bug in node 0.10+ (last version is unstable socketio/socket.io#527)
• e76e035 [fix] Fix null payload when aborting connection (Properly getting a socket by ID socketio/socket.io#503)
• 935b155 [chore] Release 3.1.0
• 82ed65f [test] Add test for maxHttpBufferSize option with websocket (Redis store connection settings socketio/socket.io#499)
• 519fb8d [chore] Bump uws to version 0.14.4 (Fixes issue commented on in #377 socketio/socket.io#501)
• 7edb34e [chore] Bump dependencies (Clarification of reconnect semantics socketio/socket.io#500)

See the full diff

Package name: socket.io-adapter

The new version differs by 12 commits.

• 6874ea4 [chore] release 1.1.1
• bdb015a [chore] remove unused 'debug' dependency (Added a second example using channels and has a basic API socketio/socket.io#52)
• c6f7bae [chore] Release 1.1.0 (Server restart - "Couldnt find client with session id" flood socketio/socket.io#50)
• f627cd2 [feat] Add addAll method (none socketio/socket.io#49)
• b983377 [chore] Release 1.0.0 (Errors on starting server.js on with node 0.2.0 socketio/socket.io#48)
• 40764bb [feat] Remove the socket.io-parser dependency (Client.disconnect() to force a client to disconnect socketio/socket.io#47)
• fd086d7 [refactor] Remove useless self var (example not working in firefox 3.6.8 socketio/socket.io#45)
• 9a621ec [chore] Release 0.5.0 (Socket.io dies (uncatchable) on faulty web socket connection socketio/socket.io#44)
• ffadfa6 [feature] Add clientRooms method (Better public .connected property socketio/socket.io#41)
• 915af31 [chore] Bump debug to version 2.3.3 (Error during WebSocket handshake: location mismatch socketio/socket.io#42)
• 35987a5 [chore] Bump socket.io-parser to version 2.3.1 (Better logging socketio/socket.io#43)
• 97bdbab [docs] Fix typo in Readme.md (require socket.io.js? socketio/socket.io#37)

See the full diff

Package name: socket.io-parser

The new version differs by 40 commits.

• f9c0625 [chore] Release 3.1.3
• f0a7df1 [fix] Ensure packet data is an array (WebSocket CLOSE_WAIT on disconnect socketio/socket.io#83)
• 8822578 [fix] Use ArrayBuffer.isView to check for typed arrays (Disconnects are blocking socketio/socket.io#82)
• dd164e6 [chore] Bump debug to version 3.1.0
• f9c3549 [chore] Release 3.1.2
• 425391a [chore] Bump has-binary2 to version 1.0.2 (Location MisMatch on Secure WebSockets socketio/socket.io#70)
• b4f849a [fix] Fix Blob detection for iOS 8/9 (Error detection for the flashSocket net server socketio/socket.io#69)
• eaee5d5 [chore] Release 3.1.1
• 2f31a4e [fix] Ensure globals are functions before running `instanceof` (Problem with IE 8 socketio/socket.io#68)
• 8e5465d [chore] Release 3.1.0
• 403b858 [chore] Bump debug to version 2.6.4 (Memory leaks socketio/socket.io#67)
• f44256c [feat] Move binary detection to the parser (Socket.IO does not intercept first client file request socketio/socket.io#66)
• 817adca [chore] Release 3.0.0
• e295b9b [chore] Bump isarray to version 2.0.1 (Streamline setup+use socketio/socket.io#65)
• e39f5a8 [chore] Use native JSON and drop support for older nodejs versions (Better handling of the listener resource. socketio/socket.io#64)
• 9ce9a98 [chore] Release 2.3.2 ( Illegal transport "socket.io.js" socketio/socket.io#59)
• 2314c10 [perf] Small optimisations (don't require() transports that are not in use? socketio/socket.io#57)
• 5ac691e [chore] Update zuul config to speed up tests in browser (Bad headers in jsonp-polling, xhr-polling socketio/socket.io#58)
• c2d0a08 [refactor] Remove useless variable (Untitled socketio/socket.io#55)
• aed8257 [chore] Bump dependencies (README: please mention server.listen() socketio/socket.io#56)
• 9072faa [refactor] Remove unused var (Few optimisations and bug fixes. socketio/socket.io#53)
• 9772195 [refactor] Use strict equality when possible (Added a second example using channels and has a basic API socketio/socket.io#52)
• 64455b4 [chore] Release 2.3.1 (websocket problems with standard 80 port socketio/socket.io#51)
• 0e2dcb7 [chore] Revert "Remove deprecated isarray dependency" (Server restart - "Couldnt find client with session id" flood socketio/socket.io#50)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

[socket-security]

Socket Security Pull Request Report

Dependency issues detected. If you merge this pull request, you will not be alerted to the instances of these issues again.

📜 Install scripts

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Package	Script field	Source
uws@9.14.0 (added)	binding.gyp	package.json via engine.io@3.1.5
uws@9.14.0 (added)	install	package.json via engine.io@3.1.5

🫣 Native code

Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.

Ensure that native code bindings are expected. Consumers may consider pure JS and functionally similar alternatives to avoid the challenges and risks associated with native code bindings.

Package	Location	Source
uws@9.14.0 (added)	binding.gyp	package.json via engine.io@3.1.5

Pull request report summary

Issue	Status
Install scripts	⚠️ 2 issues
Native code	⚠️ 1 issue
Bin script confusion	✅ 0 issues
Bin script shell injection	✅ 0 issues
Unresolved require	✅ 0 issues
Invalid package.json	✅ 0 issues
HTTP dependency	✅ 0 issues
Git dependency	✅ 0 issues
Potential typo squat	✅ 0 issues
Known Malware	✅ 0 issues
Telemetry	✅ 0 issues
Protestware/Troll package	✅ 0 issues

Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@2.4.2

• @SocketSecurity ignore uws@9.14.0

Powered by socket.dev