fix(deps): Insufficient validation when decoding a Socket.IO packet

5 months ago · b469c1debb
2 changed files with 14 additions and 69 deletions
--- a/packages/nocodb/package.json
+++ b/packages/nocodb/package.json
@ -162,7 +162,7 @@
    "rxjs": "^7.2.0",
    "slash": "^3.0.0",
    "slug": "^8.2.3",
-    "socket.io": "^4.4.1",
+    "socket.io": "^4.7.4",
    "sql-query-identifier": "^2.5.0",
    "sqlite3": "^5.1.7",
    "tedious": "^16.6.1",
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@ -761,8 +761,8 @@ importers:
        specifier: ^8.2.3
        version: 8.2.3
      socket.io:
-        specifier: ^4.4.1
-        version: 4.4.1
+        specifier: ^4.7.4
+        version: 4.7.4
      sql-query-identifier:
        specifier: ^2.5.0
        version: 2.5.0
@ -8734,10 +8734,6 @@ packages:
    resolution: {integrity: sha512-qQR1dr2rGIHYlJulmr8Ioq3De0Le9E4MJ5AiaeAETJJpndT1uUNHsGFK3L/UIu+rbkQSdj8J/w2bCsBZc/Y5fQ==}
    dev: false

-  /@types/component-emitter@1.2.11:
-    resolution: {integrity: sha512-SRXjM+tfsSlA9VuG8hGO2nft2p8zjXCK1VcC6N4NXbBbYbSia9kzCChYQajIjzIqOOOuh5Ock6MmV2oux4jDZQ==}
-    dev: false
-
  /@types/concat-stream@1.6.1:
    resolution: {integrity: sha512-eHE4cQPoj6ngxBZMvVf6Hw7Mh4jMW4U9lpGmS5GBPB9RYxlFg+CHaVN7ErNY4W9XfLIEn20b4VDYaIrbq0q4uA==}
    dependencies:
@ -12590,6 +12586,7 @@ packages:

  /component-emitter@1.3.0:
    resolution: {integrity: sha512-Rd3se6QB+sO1TwqZjscQrurpEPIfO0/yYnSin6Q/rD3mOutHvUrCAhJub3r90uNb+SESBuE0QYoB90YdfatsRg==}
+    dev: true

  /component-type@1.2.1:
    resolution: {integrity: sha512-Kgy+2+Uwr75vAi6ChWXgHuLvd+QLD7ssgpaRq2zCvt80ptvAfMc/hijcJxXkBa2wMlEZcJvC2H8Ubo+A9ATHIg==}
@ -13854,35 +13851,10 @@ packages:
      - utf-8-validate
    dev: false

-  /engine.io-parser@5.0.7:
-    resolution: {integrity: sha512-P+jDFbvK6lE3n1OL+q9KuzdOFWkkZ/cMV9gol/SbVfpyqfvrfrFTOFJ6fQm2VC3PZHlU3QPhVwmbsCnauHF2MQ==}
-    engines: {node: '>=10.0.0'}
-    dev: false
-
  /engine.io-parser@5.2.1:
    resolution: {integrity: sha512-9JktcM3u18nU9N2Lz3bWeBgxVgOKpw7yhRaoxQA3FUDZzzw+9WlA6p4G4u0RixNkg14fH7EfEc/RhpurtiROTQ==}
    engines: {node: '>=10.0.0'}

-  /engine.io@6.1.3:
-    resolution: {integrity: sha512-rqs60YwkvWTLLnfazqgZqLa/aKo+9cueVfEi/dZ8PyGyaf8TLOxj++4QMIgeG3Gn0AhrWiFXvghsoY9L9h25GA==}
-    engines: {node: '>=10.0.0'}
-    dependencies:
-      '@types/cookie': 0.4.1
-      '@types/cors': 2.8.13
-      '@types/node': 20.3.3
-      accepts: 1.3.8
-      base64id: 2.0.0
-      cookie: 0.4.2
-      cors: 2.8.5
-      debug: 4.3.4(supports-color@5.5.0)
-      engine.io-parser: 5.0.7
-      ws: 8.2.3
-    transitivePeerDependencies:
-      - bufferutil
-      - supports-color
-      - utf-8-validate
-    dev: false
-
  /engine.io@6.5.2:
    resolution: {integrity: sha512-IXsMcGpw/xRfjra46sVZVHiSWo/nJ/3g1337q9KNXtS6YRzbW5yIzTCb9DjhrBe7r3GZQR0I4+nq+4ODk5g/cA==}
    engines: {node: '>=10.2.0'}
@ -23475,10 +23447,6 @@ packages:
      - supports-color
    dev: false

-  /socket.io-adapter@2.3.3:
-    resolution: {integrity: sha512-Qd/iwn3VskrpNO60BeRyCyr8ZWw9CPZyitW4AQwmRZ8zCiyDiL+znRnWX6tDHXnWn1sJrM1+b6Mn6wEDJJ4aYQ==}
-    dev: false
-
  /socket.io-adapter@2.5.2:
    resolution: {integrity: sha512-87C3LO/NOMc+eMcpcxUBebGjkpMDkNBS9tf7KJqcDsmL936EChtVva71Dw2q4tQcuVC+hAUy4an2NO/sYXmwRA==}
    dependencies:
@ -23501,17 +23469,6 @@ packages:
      - utf-8-validate
    dev: false

-  /socket.io-parser@4.0.5:
-    resolution: {integrity: sha512-sNjbT9dX63nqUFIOv95tTVm6elyIU4RvB1m8dOeZt+IgWwcWklFDOdmGcfo3zSiRsnR/3pJkjY5lfoGqEe4Eig==}
-    engines: {node: '>=10.0.0'}
-    dependencies:
-      '@types/component-emitter': 1.2.11
-      component-emitter: 1.3.0
-      debug: 4.3.4(supports-color@5.5.0)
-    transitivePeerDependencies:
-      - supports-color
-    dev: false
-
  /socket.io-parser@4.2.4:
    resolution: {integrity: sha512-/GbIKmo8ioc+NIWIhwdecY0ge+qVBSMdgxGygevmdHj24bsfgtCmcUUcQ5ZzcylGFHsN3k4HB4Cgkl96KVnuew==}
    engines: {node: '>=10.0.0'}
@ -23521,24 +23478,24 @@ packages:
    transitivePeerDependencies:
      - supports-color

-  /socket.io@4.4.1:
-    resolution: {integrity: sha512-s04vrBswdQBUmuWJuuNTmXUVJhP0cVky8bBDhdkf8y0Ptsu7fKU2LuLbts9g+pdmAdyMMn8F/9Mf1/wbtUN0fg==}
-    engines: {node: '>=10.0.0'}
+  /socket.io@4.7.2:
+    resolution: {integrity: sha512-bvKVS29/I5fl2FGLNHuXlQaUH/BlzX1IN6S+NKLNZpBsPZIDH+90eQmCs2Railn4YUiww4SzUedJ6+uzwFnKLw==}
+    engines: {node: '>=10.2.0'}
    dependencies:
      accepts: 1.3.8
      base64id: 2.0.0
+      cors: 2.8.5
      debug: 4.3.4(supports-color@5.5.0)
-      engine.io: 6.1.3
-      socket.io-adapter: 2.3.3
-      socket.io-parser: 4.0.5
+      engine.io: 6.5.2
+      socket.io-adapter: 2.5.2
+      socket.io-parser: 4.2.4
    transitivePeerDependencies:
      - bufferutil
      - supports-color
      - utf-8-validate
-    dev: false

-  /socket.io@4.7.2:
-    resolution: {integrity: sha512-bvKVS29/I5fl2FGLNHuXlQaUH/BlzX1IN6S+NKLNZpBsPZIDH+90eQmCs2Railn4YUiww4SzUedJ6+uzwFnKLw==}
+  /socket.io@4.7.4:
+    resolution: {integrity: sha512-DcotgfP1Zg9iP/dH9zvAQcWrE0TtbMVwXmlV4T4mqsvY+gw+LqUGPfx2AoVyRk0FLME+GQhufDMyacFmw7ksqw==}
    engines: {node: '>=10.2.0'}
    dependencies:
      accepts: 1.3.8
@ -23552,6 +23509,7 @@ packages:
      - bufferutil
      - supports-color
      - utf-8-validate
+    dev: false

  /socks-proxy-agent@6.2.1:
    resolution: {integrity: sha512-a6KW9G+6B3nWZ1yB8G7pJwL3ggLy1uTzKAgCb7ttblwqdz9fMGJUuTy3uFzEP48FAs9FLILlmzDlE2JJhVQaXQ==}
@ -26851,19 +26809,6 @@ packages:
      utf-8-validate:
        optional: true

-  /ws@8.2.3:
-    resolution: {integrity: sha512-wBuoj1BDpC6ZQ1B7DWQBYVLphPWkm8i9Y0/3YdHjHKHiohOJ1ws+3OccDWtH+PoC9DZD5WOTrJvNbWvjS6JWaA==}
-    engines: {node: '>=10.0.0'}
-    peerDependencies:
-      bufferutil: ^4.0.1
-      utf-8-validate: ^5.0.2
-    peerDependenciesMeta:
-      bufferutil:
-        optional: true
-      utf-8-validate:
-        optional: true
-    dev: false
-
  /xc-core-ts@0.1.0:
    resolution: {integrity: sha512-7n/GQR5RAOjeM5IKD+F2TmizO1qlBNQ/Q0B5dP14kXl8Lb7YYBHkkbQSUQiR6mA0Y+c+aLZpI4DYWwDNCgAyzw==}
    engines: {node: '>=6.0.0'}