Bump engine.io from 4.1.1 to 4.1.2 (#196)
Bumps [engine.io](https://github.com/socketio/engine.io) from 4.1.1 to 4.1.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/socketio/engine.io/releases">engine.io's releases</a>.</em></p> <blockquote> <h2>4.1.2</h2> <p>⚠️ This release contains an important security fix ⚠️</p> <p>A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:</p> <blockquote> <p>RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear at Receiver.getInfo (/.../node_modules/ws/lib/receiver.js:176:14) at Receiver.startLoop (/.../node_modules/ws/lib/receiver.js:136:22) at Receiver._write (/.../node_modules/ws/lib/receiver.js:83:10) at writeOrBuffer (internal/streams/writable.js:358:12)</p> </blockquote> <p>This bug was introduced by <a href="f3c291fa61
">this commit</a>, included in <code>engine.io@4.0.0</code>, so previous releases are not impacted.</p> <p>Thanks to Marcus Wejderot from Mevisio for the responsible disclosure.</p> <h3>Bug Fixes</h3> <ul> <li>properly handle invalid data sent by a malicious websocket client (<a href="a70800d7e9
">a70800d</a>)</li> </ul> <h4>Links</h4> <ul> <li>Diff: <a href="https://github.com/socketio/engine.io/compare/4.1.1...4.1.2">https://github.com/socketio/engine.io/compare/4.1.1...4.1.2</a></li> <li>Client release: -</li> <li>ws version: <a href="https://github.com/websockets/ws/releases/tag/7.4.2">~7.4.2</a></li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/socketio/engine.io/blob/4.1.2/CHANGELOG.md">engine.io's changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/socketio/engine.io/compare/4.1.1...4.1.2">4.1.2</a> (2022-01-11)</h2> <p>⚠️ This release contains an important security fix ⚠️</p> <p>A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:</p> <blockquote> <p>RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear at Receiver.getInfo (/.../node_modules/ws/lib/receiver.js:176:14) at Receiver.startLoop (/.../node_modules/ws/lib/receiver.js:136:22) at Receiver._write (/.../node_modules/ws/lib/receiver.js:83:10) at writeOrBuffer (internal/streams/writable.js:358:12)</p> </blockquote> <p>This bug was introduced by <a href="f3c291fa61
">this commit</a>, included in <code>engine.io@4.0.0</code>, so previous releases are not impacted.</p> <p>Thanks to Marcus Wejderot from Mevisio for the responsible disclosure.</p> <h3>Bug Fixes</h3> <ul> <li>properly handle invalid data sent by a malicious websocket client (<a href="a70800d7e9
">a70800d</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="c6315af448
"><code>c6315af</code></a> chore(release): 4.1.2</li> <li><a href="a70800d7e9
"><code>a70800d</code></a> fix: properly handle invalid data sent by a malicious websocket client</li> <li>See full diff in <a href="https://github.com/socketio/engine.io/compare/4.1.1...4.1.2">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=engine.io&package-manager=npm_and_yarn&previous-version=4.1.1&new-version=4.1.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/fast-tooling/network/alerts). </details> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jane Chu <7559015+janechu@users.noreply.github.com>
This commit is contained in:
Родитель
7b9932ac6d
Коммит
fa4ad69ae1
|
@ -7318,9 +7318,9 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"node_modules/engine.io": {
|
"node_modules/engine.io": {
|
||||||
"version": "4.1.1",
|
"version": "4.1.2",
|
||||||
"resolved": "https://registry.npmjs.org/engine.io/-/engine.io-4.1.1.tgz",
|
"resolved": "https://registry.npmjs.org/engine.io/-/engine.io-4.1.2.tgz",
|
||||||
"integrity": "sha512-t2E9wLlssQjGw0nluF6aYyfX8LwYU8Jj0xct+pAhfWfv/YrBn6TSNtEYsgxHIfaMqfrLx07czcMg9bMN6di+3w==",
|
"integrity": "sha512-t5z6zjXuVLhXDMiFJPYsPOWEER8B0tIsD3ETgw19S1yg9zryvUfY3Vhtk3Gf4sihw/bQGIqQ//gjvVlu+Ca0bQ==",
|
||||||
"dev": true,
|
"dev": true,
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"accepts": "~1.3.4",
|
"accepts": "~1.3.4",
|
||||||
|
@ -31052,9 +31052,9 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"engine.io": {
|
"engine.io": {
|
||||||
"version": "4.1.1",
|
"version": "4.1.2",
|
||||||
"resolved": "https://registry.npmjs.org/engine.io/-/engine.io-4.1.1.tgz",
|
"resolved": "https://registry.npmjs.org/engine.io/-/engine.io-4.1.2.tgz",
|
||||||
"integrity": "sha512-t2E9wLlssQjGw0nluF6aYyfX8LwYU8Jj0xct+pAhfWfv/YrBn6TSNtEYsgxHIfaMqfrLx07czcMg9bMN6di+3w==",
|
"integrity": "sha512-t5z6zjXuVLhXDMiFJPYsPOWEER8B0tIsD3ETgw19S1yg9zryvUfY3Vhtk3Gf4sihw/bQGIqQ//gjvVlu+Ca0bQ==",
|
||||||
"dev": true,
|
"dev": true,
|
||||||
"requires": {
|
"requires": {
|
||||||
"accepts": "~1.3.4",
|
"accepts": "~1.3.4",
|
||||||
|
|
Загрузка…
Ссылка в новой задаче