Skip to content

fix(deps): update dependency socket.io-parser to v4.2.3 [security] #32542

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

fix(deps): update dependency socket.io-parser to v4.2.3 [security] #32542

wants to merge 1 commit into from
+12 −8

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Sep 22, 2025
edited by cursor bot
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
socket.io-parser 4.0.5 -> 4.2.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-32695

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

TypeError: Cannot convert object to primitive value
       at Socket.emit (node:events:507:25)
       at .../node_modules/socket.io/lib/socket.js:531:14

Patches

A fix has been released today (2023/05/22):

Another fix has been released for the 3.3.x branch:

socket.io version socket.io-parser version Needs minor update?
4.5.2...latest ~4.2.0 (ref) npm audit fix should be sufficient
4.1.3...4.5.1 ~4.1.1 (ref) Please upgrade to [email protected]
3.0.5...4.1.2 ~4.0.3 (ref) Please upgrade to [email protected]
3.0.0...3.0.4 ~4.0.1 (ref) Please upgrade to [email protected]
2.3.0...2.5.0 ~3.4.0 (ref) npm audit fix should be sufficient

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

  • Open a discussion here

Thanks to @​rafax00 for the responsible disclosure.

Release Notes

Automattic/socket.io-parser (socket.io-parser)

v4.2.3

Compare Source

⚠️ This release contains an important security fix ⚠️

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

TypeError: Cannot convert object to primitive value
       at Socket.emit (node:events:507:25)
       at .../node_modules/socket.io/lib/socket.js:531:14

Please upgrade as soon as possible.

Bug Fixes
  • check the format of the event name (3b78117)
Links

v4.2.2

Compare Source

Bug Fixes
  • calling destroy() should clear all internal state (22c42e3)
  • do not modify the input packet upon encoding (ae8dd88)
Links

v4.2.1

Compare Source

Bug Fixes
  • check the format of the index of each attachment (b5d0cb7)
Links

v4.2.0

Compare Source

Features
Links

v4.1.2

Compare Source

Bug Fixes
  • allow objects with a null prototype in binary packets (#​114) (7f6b262)
Links

v4.1.1

Compare Source

Links

v4.1.0

Compare Source

Features
  • provide an ESM build with and without debug (388c616)
Links

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Note

Bumps socket.io-parser to 4.2.3 in root resolutions and @packages/socket, updating lockfile and transitive deps.

  • Dependencies:
    • Upgrade socket.io-parser from 4.0.5 to 4.2.3:
      • Root package.json resolutions"**/socket.io-parser": "4.2.3".
      • packages/socket/package.json dependency → "socket.io-parser": "4.2.3".
    • Lockfile: refresh yarn.lock entries for [email protected] and add @socket.io/component-emitter@~3.1.0 as a transitive dependency.

Written by Cursor Bugbot for commit 96ef930. This will update automatically on new commits. Configure here.

@cypress-app-bot
Copy link
Collaborator

cypress-app-bot commented Sep 22, 2025

See the guidelines for reviewing dependency updates for info on how to review dependency update PRs.

@renovate renovate bot force-pushed the renovate/npm-socket.io-parser-vulnerability branch 7 times, most recently from 8a50032 to 552d1ab Compare September 23, 2025 15:32
cursor[bot]

This comment was marked as outdated.

Sign in to view

@renovate renovate bot force-pushed the renovate/npm-socket.io-parser-vulnerability branch 13 times, most recently from 854f5eb to bd2de59 Compare September 30, 2025 14:06
@renovate renovate bot force-pushed the renovate/npm-socket.io-parser-vulnerability branch 7 times, most recently from 2f9d446 to 1abbee5 Compare October 2, 2025 13:41
@renovate renovate bot force-pushed the renovate/npm-socket.io-parser-vulnerability branch 12 times, most recently from eef2721 to 1f83768 Compare November 5, 2025 15:10
cursor[bot]
cursor bot reviewed Nov 5, 2025
View reviewed changes
packages/socket/package.json
"socket.io": "4.0.1",
"socket.io-client": "4.0.1",
"socket.io-parser": "4.0.5",
"socket.io-parser": "4.2.3",
Copy link

@cursor cursor bot Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Patch mismatch blocks circular object serialization upgrade

The socket.io-parser dependency is being upgraded from 4.0.5 to 4.2.3, but there's an existing patch file (packages/socket/patches/socket.io-parser+4.0.5.patch) that will no longer be applied. The patch-package tool requires exact version matches in the filename. This patch adds critical functionality for handling circular objects in socket.io messages using the flatted library and WeakMap tracking. Without this patch being applied to version 4.2.3, the application will lose the ability to properly serialize circular objects, potentially causing runtime errors or data corruption. A new patch file named socket.io-parser+4.2.3.patch needs to be created, or the existing patch needs to be verified as no longer necessary for version 4.2.3.

Fix in Cursor Fix in Web

@renovate renovate bot force-pushed the renovate/npm-socket.io-parser-vulnerability branch 15 times, most recently from e592993 to 89f6029 Compare November 7, 2025 22:28
@renovate renovate bot force-pushed the renovate/npm-socket.io-parser-vulnerability branch from 89f6029 to 96ef930 Compare November 8, 2025 02:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

type: dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cypress-app-bot