All socket.io-parser versions

[email protected] rejected Risk: 81 MIT

socket.io-parser @4.0.5

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Homepage Tarball
81
Risk Score
MIT
License
No
Install Scripts
3
Dependencies
14
Dev Dependencies
5.8 KB
Package Size
Published

socket.io protocol parser

Maintainers

rauchgdarrachequesne

Dependencies (3)

PackageConstraintRegistry Status
debug ~4.3.1 auto_approved
component-emitter ~1.3.0 auto_approved
@types/component-emitter ^1.2.10 auto_approved

Dev Dependencies (14)

PackageConstraintRegistry Status
zuul 3.11.1 Not imported
mocha 3.2.0 auto_approved
rimraf ^3.0.2 auto_approved
babelify ~10.0.0 No greenflagged match
prettier ^2.1.2 auto_approved
benchmark 2.1.2 auto_approved
expect.js 0.3.1 auto_approved
typescript ^4.0.3 auto_approved
zuul-ngrok 4.0.0 Not imported
@babel/core ~7.9.6 auto_approved
@types/node ^14.11.1 auto_approved
@types/debug ^4.1.5 auto_approved
@babel/preset-env ~7.9.6 auto_approved
socket.io-browsers ^1.0.0 Not imported

Transitive Dependency Tree

4 transitive deps max depth 2
  ├─ @types/component-emitter ^1.2.10 → 1.2.14
  ├─ component-emitter ~1.3.0 → 1.3.1
├─ debug ~4.3.1 → 4.3.7
  ├─ ms ^2.1.3 → 2.1.3

Changes from v2.3.2

Dependency Changes

ChangePackageVersion
added @types/component-emitter ^1.2.10
removed json3 3.3.2
removed isarray 0.0.1
changed debug 2.3.3 → ~4.3.1
changed component-emitter 1.2.1 → ~1.3.0

Script Changes

+ compile+ prepack+ test:node+ format:fix+ format:check+ test:browser

File Changes

6 added 4 removed 2 modified size delta: +2.6 KB

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
osv:GHSA-677m-j7p3-52f9 osv reject AI AI (osv): HIGH severity DoS (memory exhaustion) with no workaround; fixed in 4.2.6. Affected range covers this and all prior 4.x versions.

SAST Findings (3)

CRITICAL GHSA-677m-j7p3-52f9: socket.io allows an unbounded number of binary attachments osv

[Always reject] ### Impact A specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory. ### Patches | Version range | Used by | Fixed version | |------------------|--------------------------------------------|---------------| | `>=4.0.0 <4.2.6` | `[email protected]` and `[email protected]` | `4.2.6` | | `>=3.4.0 <3.4.4` | `[email protected]` | `3.4.4` | | `<3.3.5` | `[email protected]` | `3.3.5` | ### Workarounds There is no known workaround except upgrading to a safe version. ### For more information If you have any questions or comments about this advisory: - Open a discussion [here](https://github.com/socketio/socket.io/discussions)

HIGH GHSA-cqmj-92xf-r6r9: Insufficient validation when decoding a Socket.IO packet osv

CVSS 7.3 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L ### Impact A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. ``` TypeError: Cannot convert object to primitive value at Socket.emit (node:events:507:25) at .../node_modules/socket.io/lib/socket.js:531:14 ``` ### Patches A fix has been released today (2023/05/22): - https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3, included in `[email protected]` - https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced, included in `[email protected]` Another fix has been released for the `3.3.x` branch: - https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4, included in `[email protected] | `socket.io` version | `socket.io-parser` version | Needs minor update? | |---------------------|---------------------------------------------------------------------------------------------------------|--------------------------------------| | `4.5.2...latest` | `~4.2.0` ([ref](https://github.com/socketio/socket.io/commit/9890b036cf942f6b6ad2afeb6a8361c32cd5d528)) | `npm audit fix` should be sufficient | | `4.1.3...4.5.1` | `~4.1.1` ([ref](https://github.com/socketio/socket.io/commit/7c44893d7878cd5bba1eff43150c3e664f88fb57)) | Please upgrade to `[email protected]` | | `3.0.5...4.1.2` | `~4.0.3` ([ref](https://github.com/socketio/socket.io/commit/752dfe3b1e5fecda53dae899b4a39e6fed5a1a17)) | Please upgrade to `[email protected]` | | `3.0.0...3.0.4` | `~4.0.1` ([ref](https://github.com/socketio/socket.io/commit/1af3267e3f5f7884214cf2ca4d5282d620092fb0)) | Please upgrade to `[email protected]` | | `2.3.0...2.5.0` | `~3.4.0` ([ref](https://github.com/socketio/socket.io/commit/cf39362014f5ff13a17168b74772c43920d6e4fd)) | `npm audit fix` should be sufficient | ### Workarounds There is no known workaround except upgrading to a safe version. ### For more information If you have any questions or comments about this advisory: - Open a discussion [here](https://github.com/socketio/socket.io/discussions) Thanks to [@rafax00](https://github.com/rafax00) for the responsible disclosure.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 81. Findings: 1 critical (+40), 1 high (+25), 1 medium (+10), 2 low (+6).

Commit: f3329eb5a46b Browse source

Published to npm: