fix(security): upgrade socket.io ecosystem to fix DoS vulns #33313
Conversation
- Bump socket.io and socket.io-client from 4.0.1 to 4.7.0 (CVE-2024-38355, CVE-2023-32695, CVE-2022-41940, CVE-2022-21676, CVE-2024-37890) - Bump socket.io-parser from 4.0.5 to 4.2.3 (CVE-2023-32695) - Bump engine.io from 6.4.2 to 6.5.5, engine.io-client to 6.5.4 (CVE-2024-37890) - Bump engine.io-parser from 4.0.2 to 5.2.2 (CVE-2022-41940, CVE-2022-21676) - Rewrite patches for new file structure (build/cjs + esm + esm-debug) - Make sure socket.io-parser is not hoisted and add it to vitest's alias list - Update root resolution for socket.io-parser to 4.2.3
MuazOthman
changed the title
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| cookie: { | ||
| name: cookie, | ||
| }, | ||
| cookie: typeof cookie === 'string' ? { name: cookie as string } : undefined, |
There was a problem hiding this comment.
Redundant type assertion after type guard
Low Severity
The as string type assertion in { name: cookie as string } is redundant. TypeScript already narrows the type of cookie to string after the typeof cookie === 'string' check, making the explicit cast unnecessary.
| cookie: { | ||
| name: cookie, | ||
| }, | ||
| cookie: typeof cookie === 'string' ? { name: cookie as string } : undefined, |
There was a problem hiding this comment.
Cookie disable option not passed to socket.io
Medium Severity
The createSocketIo method's cookie parameter has type string | boolean, but the new conditional logic only handles the string case correctly. When cookie is false (intended to disable cookies), the code now returns undefined instead of false. According to socket.io's API, passing undefined uses default cookie settings (cookies enabled), while passing false disables cookies entirely. This behavioral change means users who set socketIoCookie: false to disable session cookies will now have cookies enabled with default settings.
| } | ||
|
|
||
| // @ts-expect-error TODO: fix emit type | ||
| // @ts-ignore - override emit to send via CDP |
There was a problem hiding this comment.
Using @ts-ignore instead of @ts-expect-error
Low Severity
The change from @ts-expect-error to @ts-ignore is a degradation in type safety. @ts-expect-error is preferred because it will produce a compiler error when the underlying type issue is fixed, signaling that the directive can be removed. @ts-ignore silently suppresses errors indefinitely, making it easy to miss when workarounds become stale.
…'origin/develop' into muaz/upgrade-socketio
…rigin/develop' into muaz/upgrade-socketio
…'origin/develop' into muaz/upgrade-socketio
…rigin/develop' into muaz/upgrade-socketio
…'origin/develop' into muaz/upgrade-socketio
…rigin/develop' into muaz/upgrade-socketio
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| "**/jquery": "3.7.1", | ||
| "**/qs": "6.14.1", | ||
| "**/socket.io-parser": "4.0.5", | ||
| "**/socket.io-parser": "4.2.3", |
There was a problem hiding this comment.
Removal of qs resolution allows vulnerable version installation
High Severity
The removal of the **/qs: 6.14.1 resolution allows [email protected] to be installed, which has a high-severity DoS vulnerability (CVE-2025-15284). The yarn.lock now shows packages like body-parser and express depending on [email protected] will get the vulnerable version instead of being forced to the patched 6.14.1. This is particularly concerning since the PR's stated purpose is to fix DoS vulnerabilities, yet it inadvertently introduces another DoS vulnerability through the qs package.
cypress
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Project |
cypress
|
| Branch Review |
muaz/upgrade-socketio
|
| Run status |
|
| Run duration | 47m 22s |
| Commit |
|
| Committer | cypress-bot[bot] |
| View all properties for this run ↗︎ | |
| Test results | |
|---|---|
Failures
|
3
|
Flaky
|
7
|
Pending
|
343
|
Skipped
|
0
|
Passing
|
21702
|
| View all changes introduced in this branch ↗︎ | |
Warning
Partial Report: The results for the Application Quality reports may be incomplete.
Warning
No Report: Something went wrong and we could not generate a report for the Application Quality products.
Tests for review
e2e/privileged_commands.cy.ts • 1 failed test • 5x-driver-firefox
| Test | Artifacts | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| privileged commands > in spec file or support file > handles ArrayBuffer arguments |
| |||||||||||||||||||||||||||||||||||||
| Test | Artifacts | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ... > can stub a response with an ArrayBuffer |
| |||||||||||||||||||||||||||||||
| Test | Artifacts | |
|---|---|---|
| ... > errors > does not throw again when 2nd alias doesn't reference a route |
Test Replay
|
|
issues/28527.cy.ts • 1 flaky test • 5x-driver-electron
| Test | Artifacts | |
|---|---|---|
| issue 28527 > fails and then retries and verifies about:blank is not displayed |
Test Replay
Screenshots
|
|
commands/net_stubbing.cy.ts • 1 flaky test • 5x-driver-firefox
| Test | Artifacts | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ... > stops waiting when an xhr request is canceled |
| |||||||||||||
| Test | Artifacts | |||||||
|---|---|---|---|---|---|---|---|---|
| src/cy/commands/files > #readFile > retries assertions until they pass |
| |||||||
| Test | Artifacts | |
|---|---|---|
| issue 28527 > fails and then retries and verifies about:blank is not displayed |
Screenshots
|
|
The first 5 flaky specs are shown, see all 7 specs in Cypress Cloud.
This PR upgrades the socket.io ecosystem dependencies to address multiple Denial of Service (DoS) and related vulnerabilities.
Additional details
Upgrading these dependencies removes several known security vulnerabilities, primarily DoS, and resolves inconsistencies with new upstream package structures to maintain the security and stability of the project.
4.0.1to4.7.04.0.5to4.2.36.4.2to6.5.56.5.44.0.2to5.2.2Additional updates:
build/cjs,esm, andesm-debug)socket.io-parseris not hoisted and added it to Vitest's alias listsocket.io-parserto4.2.3Note
Medium Risk
Medium risk because it upgrades core websocket transport/parsing dependencies and rewrites
patch-packagepatches, which can subtly change runtime socket behavior across browser/node environments.Overview
Upgrades the Socket.IO stack to newer, security-fixed releases.
@packages/socketnow depends onsocket.io/socket.io-client4.7.0,engine.io6.5.x,engine.io-parser5.2.2, andsocket.io-parser4.2.3, with rootpackage.jsonresolutions updated accordingly.Reworks Cypress-specific patches for the new upstream file layout. The old
engine.io-parser+4.0.2.patchandsocket.io-parser+4.0.5.patchare replaced withbuild/cjs+esm+esm-debugpatches to keep circular-object and binary handling (viaflatted, cycle tracking, and broader binary detection).Adjusts integration points for the upgraded libraries.
CDPBrowserSocketswitches fromcomponent-emitterto@socket.io/component-emittertypings,SocketBase.createSocketIoupdates cookie option handling, tests/config are updated to import the new parser entrypoints and add a Vitest alias, andtooling/v8-snapshotmetadata is refreshed to match the new dependency tree.Written by Cursor Bugbot for commit d5ea767. This will update automatically on new commits. Configure here.
PR Tasks
cypress-documentation?type definitions?