[Snyk] Fix for 10 vulnerabilities

[tjenkinson]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-ENGINEIO-1056749	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:negotiator:20160616	No	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Remote Memory Exposure npm:ws:20160104	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:ws:20160624	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Insecure Randomness npm:ws:20160920	No	No Known Exploit
	761/1000 Why? Mature exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:ws:20171108	No	Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: debug

The new version differs by 154 commits.

• 13abeae Release 2.6.9
• f53962e remove ReDoS regexp in %o formatter (npm packge.jason needs to be updated! socketio/socket.io#504)
• 52e1f21 Release 2.6.8
• 2482e08 Check for undefined on browser globals (isXDomain() reports wrong result for HTTPS pages socketio/socket.io#462)
• 6bb07f7 release 2.6.7
• 15850cb Fix Regular Expression Denial of Service (ReDoS)
• 4a6c85c update "debug" to v1.0.0 (Feature/policy socketio/socket.io#454)
• b68dbf8 Fix typo (Added socket.io-flashsocket default port socketio/socket.io#455)
• 1351d2f Inline extend function in node implementation (Can i simulate a browser client on node server socketio/socket.io#452)
• c211947 update version for component
• 14df14c release 2.6.5
• cae07b7 cleanup browser tests and fix null reference check on window.documentElement.style.WebkitAppearance ('flash policy port' option broken socketio/socket.io#447)
• f311b10 release 2.6.4
• 1f01b70 Fix bug that would occure if process.env.DEBUG is a non-string value. (Node.js/Socket.io not returning results in IE, using a secure connection socketio/socket.io#444)
• 2f3ebf4 Update CHANGELOG.md
• f5ae332 Update CHANGELOG.md
• 9742c5f chore(): ignore bower.json in npm installations. (Safari 5.1 Type Error Undefined Function Line 2 socketio/socket.io#437)
• 27d93a3 update "debug" to v0.7.3
• 9dc30f8 release 2.6.3
• 0fb8ea4 LocalStorage returns undefined for any key not present (disconnect problems socketio/socket.io#431)
• ce4d93e changelog fix
• 017a9d6 release 2.6.2
• 23bc780 fix DEBUG_MAX_ARRAY_LENGTH
• 065cbfb Add backers and sponsors from Open Collective (Browser Client Minification breaks Payload encoding/decoding socketio/socket.io#422)

See the full diff

Package name: engine.io

The new version differs by 175 commits.

• 9df38d5 docs: update the list of supported engines
• 078527a feat: disable perMessageDeflate by default
• 54c6797 docs: update the default value of maxHttpBufferSize
• 1916d3a test: remove Node.js 8 from the test matrix
• 14ca7a1 chore: restore package-lock.json file
• ed29e59 chore: bump engine.io-parser version
• 03b4967 chore: bump cookie version
• 09708eb docs(changelog): include changelog for release 3.4.2
• 82cdca2 fix: remove implicit require of uws
• 94623c8 docs(changelog): include changelog for release 3.4.1
• dcdbccb fix: ignore errors when forcefully closing the socket (Multiplexing connection and client disconnect socketio/socket.io#601)
• 71ece3e chore(release): 4.0.0-alpha.1
• b27215d chore(release): 4.0.0-alpha.0
• 734f9d1 feat: decrease the default value of maxHttpBufferSize
• 61b9492 feat: use the cors module to handle cross-origin requests
• bafe684 refactor: refactor the handling of the options
• 61e639b test: add Node.js 10, 12 and 13 in the test matrix
• a374471 feat: disable cookie by default and add sameSite attribute
• 31ff875 feat: reverse the ping-pong mechanism
• 2ae2520 chore: point towards the v4 branch
• f3c291f feat: generateId method can now return a Promise
• 33564b2 refactor: use prettier to format code
• da93fb6 refactor: migrate to ES6 syntax
• ecfcc69 [chore] Release 3.4.0

See the full diff

Package name: socket.io-adapter

The new version differs by 12 commits.

• 6874ea4 [chore] release 1.1.1
• bdb015a [chore] remove unused 'debug' dependency (Added a second example using channels and has a basic API socketio/socket.io#52)
• c6f7bae [chore] Release 1.1.0 (Server restart - "Couldnt find client with session id" flood socketio/socket.io#50)
• f627cd2 [feat] Add addAll method (none socketio/socket.io#49)
• b983377 [chore] Release 1.0.0 (Errors on starting server.js on with node 0.2.0 socketio/socket.io#48)
• 40764bb [feat] Remove the socket.io-parser dependency (Client.disconnect() to force a client to disconnect socketio/socket.io#47)
• fd086d7 [refactor] Remove useless self var (example not working in firefox 3.6.8 socketio/socket.io#45)
• 9a621ec [chore] Release 0.5.0 (Socket.io dies (uncatchable) on faulty web socket connection socketio/socket.io#44)
• ffadfa6 [feature] Add clientRooms method (Better public .connected property socketio/socket.io#41)
• 915af31 [chore] Bump debug to version 2.3.3 (Error during WebSocket handshake: location mismatch socketio/socket.io#42)
• 35987a5 [chore] Bump socket.io-parser to version 2.3.1 (Better logging socketio/socket.io#43)
• 97bdbab [docs] Fix typo in Readme.md (require socket.io.js? socketio/socket.io#37)

See the full diff

Package name: socket.io-parser

The new version differs by 55 commits.

• 3b0a392 chore(release): 3.3.2
• 89197a0 fix: prevent DoS (OOM) via massive packets (fixes for the README socketio/socket.io#95)
• 25ca624 chore(release): 3.3.1
• b51b39b test: use Node.js 10 for the browser tests
• 4184e46 chore: bump component-emitter dependency
• 0de72b9 [chore] Release 3.3.0
• b47efb2 [fix] Remove any reference to the `global` variable
• d95e38f [chore] Update the Makefile
• b57e063 [test] Update travis configuration
• 48f340e [refactor] Fix a small typo and code styling (IE7&8 on XP does not work with the chat example socketio/socket.io#88)
• 6e40018 [chore] Release 3.2.0
• 92c530d [fix] Properly handle JSON.stringify errors (Incompatibe w/ current git Node.js because 'sys' is renamed to 'util' socketio/socket.io#84)
• dc4f475 [revert] Move binary detection to the parser
• f115039 [test] Update travis configuration
• 6b356eb [fix] Properly detect typed arrays (Support for inline (same port) flash socket policy request socketio/socket.io#85)
• f9c0625 [chore] Release 3.1.3
• f0a7df1 [fix] Ensure packet data is an array (WebSocket CLOSE_WAIT on disconnect socketio/socket.io#83)
• 8822578 [fix] Use ArrayBuffer.isView to check for typed arrays (Disconnects are blocking socketio/socket.io#82)
• dd164e6 [chore] Bump debug to version 3.1.0
• f9c3549 [chore] Release 3.1.2
• 425391a [chore] Bump has-binary2 to version 1.0.2 (Location MisMatch on Secure WebSockets socketio/socket.io#70)
• b4f849a [fix] Fix Blob detection for iOS 8/9 (Error detection for the flashSocket net server socketio/socket.io#69)
• eaee5d5 [chore] Release 3.1.1
• 2f31a4e [fix] Ensure globals are functions before running `instanceof` (Problem with IE 8 socketio/socket.io#68)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn