From 14479b8ad12e911291b7625afb177e541d9970bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gr=C3=A9goire=20Cutzach?= Date: Tue, 21 Jan 2025 20:14:35 +0100 Subject: [PATCH] Update dependencies engine.io & engine.io-client (#1388) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Context Follow up of #1368 `yarn audit` indicates high `ws` vulnerability due to engine.io and engine.io-client ## Proposed solution The upgrade was operated in two steps atomized in two commits: * 6.5.x to 6.5.X latest to fix `ws` vulnerability * 6.5.X latest to 6.6.2 to fix `cookie` vulnerability * As 6.6x introduced types, a type casting was needed in `app/server/lib/gristSessions.ts` ### Bump [engine.io](https://github.com/socketio/socket.io/blob/main/packages/engine.io) from 6.5.3 to 6.6.2 - [Changelog](https://github.com/socketio/socket.io/blob/main/packages/engine.io/CHANGELOG.md) ### Bump [engine.io-client](https://github.com/socketio/socket.io/blob/main/packages/engine.io-client) from 6.5.4 to 6.6.2 - [Changelog](https://github.com/socketio/socket.io/blob/main/packages/engine.io-client/CHANGELOG.md) ## Has this been tested? - [x] 👍 yes, I run test suite in this PR CI --- app/server/lib/GristSocketServer.ts | 3 +- package.json | 4 +-- yarn.lock | 47 +++++++++++++---------------- 3 files changed, 25 insertions(+), 29 deletions(-) diff --git a/app/server/lib/GristSocketServer.ts b/app/server/lib/GristSocketServer.ts index b39fc274a5..717dcfaced 100644 --- a/app/server/lib/GristSocketServer.ts +++ b/app/server/lib/GristSocketServer.ts @@ -4,6 +4,7 @@ import * as EIO from 'engine.io'; import {GristServerSocket, GristServerSocketEIO, GristServerSocketWS} from './GristServerSocket'; import * as net from 'net'; import * as stream from 'stream'; +import { EngineRequest } from 'engine.io/build/transport'; const MAX_PAYLOAD = 100e6; @@ -102,7 +103,7 @@ export class GristSocketServer { return; } - this._eioServer.handleRequest(req, res); + this._eioServer.handleRequest(req as EngineRequest, res); } else { // Otherwise fallback to the pre-existing listener(s) for (const listener of listeners) { diff --git a/package.json b/package.json index e832102d8d..3998a7bc08 100644 --- a/package.json +++ b/package.json @@ -141,8 +141,8 @@ "diff-match-patch": "1.0.5", "dompurify": "3.2.3", "double-ended-queue": "2.1.0-0", - "engine.io": "^6.5.4", - "engine.io-client": "^6.5.3", + "engine.io": "6.6.2", + "engine.io-client": "6.6.2", "exceljs": "4.2.1", "express": "4.20.0", "express-rate-limit": "7.2.0", diff --git a/yarn.lock b/yarn.lock index 8475fee282..a18b3e8500 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2721,16 +2721,11 @@ cookie@0.7.0: resolved "https://registry.yarnpkg.com/cookie/-/cookie-0.7.0.tgz#2148f68a77245d5c2c0005d264bc3e08cfa0655d" integrity sha512-qCf+V4dtlNhSRXGAZatc1TasyFO6GjohcOul807YOb5ik3+kQSnb4d7iajeCL8QHaJ4uZEjCgiCJerKXwdRVlQ== -cookie@0.7.2: +cookie@0.7.2, cookie@~0.7.2: version "0.7.2" resolved "https://registry.yarnpkg.com/cookie/-/cookie-0.7.2.tgz#556369c472a2ba910f2979891b526b3436237ed7" integrity sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w== -cookie@~0.4.1: - version "0.4.2" - resolved "https://registry.yarnpkg.com/cookie/-/cookie-0.4.2.tgz#0e41f24de5ecf317947c82fc789e06a884824432" - integrity sha512-aSWTXFzaKWkvHO1Ny/s+ePFpvKsPnjc551iI41v3ny/ow6tBG5Vd+FuqGNhh1LxOmVzOlGUriIlOaokOvhaStA== - core-util-is@~1.0.0: version "1.0.3" resolved "https://registry.yarnpkg.com/core-util-is/-/core-util-is-1.0.3.tgz#a6042d3634c2b27e9328f837b965fac83808db85" @@ -3207,37 +3202,37 @@ end-of-stream@^1.4.1: dependencies: once "^1.4.0" -engine.io-client@^6.5.3: - version "6.5.3" - resolved "https://registry.yarnpkg.com/engine.io-client/-/engine.io-client-6.5.3.tgz#4cf6fa24845029b238f83c628916d9149c399bc5" - integrity sha512-9Z0qLB0NIisTRt1DZ/8U2k12RJn8yls/nXMZLn+/N8hANT3TcYjKFKcwbw5zFQiN4NTde3TSY9zb79e1ij6j9Q== +engine.io-client@6.6.2: + version "6.6.2" + resolved "https://registry.yarnpkg.com/engine.io-client/-/engine.io-client-6.6.2.tgz#e0a09e1c90effe5d6264da1c56d7281998f1e50b" + integrity sha512-TAr+NKeoVTjEVW8P3iHguO1LO6RlUz9O5Y8o7EY0fU+gY1NYqas7NN3slpFtbXEsLMHk0h90fJMfKjRkQ0qUIw== dependencies: "@socket.io/component-emitter" "~3.1.0" debug "~4.3.1" engine.io-parser "~5.2.1" - ws "~8.11.0" - xmlhttprequest-ssl "~2.0.0" + ws "~8.17.1" + xmlhttprequest-ssl "~2.1.1" engine.io-parser@~5.2.1: version "5.2.2" resolved "https://registry.yarnpkg.com/engine.io-parser/-/engine.io-parser-5.2.2.tgz#37b48e2d23116919a3453738c5720455e64e1c49" integrity sha512-RcyUFKA93/CXH20l4SoVvzZfrSDMOTUS3bWVpTt2FuFP+XYrL8i8oonHP7WInRyVHXh0n/ORtoeiE1os+8qkSw== -engine.io@^6.5.4: - version "6.5.4" - resolved "https://registry.yarnpkg.com/engine.io/-/engine.io-6.5.4.tgz#6822debf324e781add2254e912f8568508850cdc" - integrity sha512-KdVSDKhVKyOi+r5uEabrDLZw2qXStVvCsEB/LN3mw4WFi6Gx50jTyuxYVCwAAC0U46FdnzP/ScKRBTXb/NiEOg== +engine.io@6.6.2: + version "6.6.2" + resolved "https://registry.yarnpkg.com/engine.io/-/engine.io-6.6.2.tgz#32bd845b4db708f8c774a4edef4e5c8a98b3da72" + integrity sha512-gmNvsYi9C8iErnZdVcJnvCpSKbWTt1E8+JZo8b+daLninywUWi5NQ5STSHZ9rFjFO7imNcvb8Pc5pe/wMR5xEw== dependencies: "@types/cookie" "^0.4.1" "@types/cors" "^2.8.12" "@types/node" ">=10.0.0" accepts "~1.3.4" base64id "2.0.0" - cookie "~0.4.1" + cookie "~0.7.2" cors "~2.8.5" debug "~4.3.1" engine.io-parser "~5.2.1" - ws "~8.11.0" + ws "~8.17.1" enhanced-resolve@^5.17.1: version "5.18.0" @@ -8381,10 +8376,10 @@ ws@8.18.0, ws@^8.18.0: resolved "https://registry.yarnpkg.com/ws/-/ws-8.18.0.tgz#0d7505a6eafe2b0e712d232b42279f53bc289bbc" integrity sha512-8VbfWfHLbbwu3+N6OKsOMpBdT4kXPDDB9cJk2bJ6mh9ucxdlnNvH1e+roYkKmN9Nxw2yjz7VzeO9oOz2zJ04Pw== -ws@~8.11.0: - version "8.11.0" - resolved "https://registry.yarnpkg.com/ws/-/ws-8.11.0.tgz#6a0d36b8edfd9f96d8b25683db2f8d7de6e8e143" - integrity sha512-HPG3wQd9sNQoT9xHyNCXoDUa+Xw/VevmY9FoHyQ+g+rrMn4j6FB4np7Z0OhdTgjx6MgQLK7jwSy1YecU1+4Asg== +ws@~8.17.1: + version "8.17.1" + resolved "https://registry.yarnpkg.com/ws/-/ws-8.17.1.tgz#9293da530bb548febc95371d90f9c878727d919b" + integrity sha512-6XQFvXTkbfUOZOKKILFG1PDK2NDQs4azKQl26T0YS5CxqWLgXajbPZ+h4gZekJyRqFU8pvnbAbbs/3TgRPy+GQ== xml-crypto@^3.0.1: version "3.2.0" @@ -8437,10 +8432,10 @@ xmlchars@^2.2.0: resolved "https://registry.npmjs.org/xmlchars/-/xmlchars-2.2.0.tgz" integrity sha512-JZnDKK8B0RCDw84FNdDAIpZK+JuJw+s7Lz8nksI7SIuU3UXJJslUthsi+uWBUYOwPFwW7W7PRLRfUKpxjtjFCw== -xmlhttprequest-ssl@~2.0.0: - version "2.0.0" - resolved "https://registry.yarnpkg.com/xmlhttprequest-ssl/-/xmlhttprequest-ssl-2.0.0.tgz#91360c86b914e67f44dce769180027c0da618c67" - integrity sha512-QKxVRxiRACQcVuQEYFsI1hhkrMlrXHPegbbd1yn9UHOmRxY+si12nQYzri3vbzt8VdTTRviqcKxcyllFas5z2A== +xmlhttprequest-ssl@~2.1.1: + version "2.1.2" + resolved "https://registry.yarnpkg.com/xmlhttprequest-ssl/-/xmlhttprequest-ssl-2.1.2.tgz#e9e8023b3f29ef34b97a859f584c5e6c61418e23" + integrity sha512-TEU+nJVUUnA4CYJFLvK5X9AOeH4KvDvhIfm0vV1GaQRtchnG0hgK5p8hw/xjv8cunWYCsiPCSDzObPyhEwq3KQ== xpath@0.0.32: version "0.0.32"