Socket.io-parser is a crucial component for developers working with the Socket.IO library, handling the encoding and decoding of the Socket.IO protocol. Comparing versions 4.0.5 and 4.0.4, both share the same core dependencies like "debug," "component-emitter," and "@types/component-emitter," maintaining consistency in their fundamental building blocks for debugging and event handling. Similarly, the development dependencies, including tools for testing (zuul, mocha, benchmark, expect.js), code formatting (prettier), and TypeScript compilation, remain consistent, suggesting a stable development environment across versions. Both versions are licensed under the MIT license.
The most noticeable difference lies in the "dist" section, specifically the "fileCount" and "unpackedSize." Version 4.0.5 has a "fileCount" of 9 and an "unpackedSize" of 21098, while version 4.0.4 has a "fileCount" of 10 and "unpackedSize" of 24092. This indicates a potential optimization in version 4.0.5, with a reduction in both the number of files and the overall size after unpacking, likely resulting in a slightly smaller footprint and potentially faster loading times. The "releaseDate" highlights a significant gap between the versions - version 4.0.5 was released in June 2022, while 4.0.4 came out in January 2021, indicating over a year of development updates. For developers, this suggests that version 4.0.5 likely incorporates bug fixes, performance enhancements, and possibly new features or protocol adjustments accumulated over that period. Upgrading to 4.0.5 is recommended to benefit from these improvements and ensure compatibility with the latest Socket.IO ecosystem features.
All the vulnerabilities related to the version 4.0.5 of the package
Insufficient validation when decoding a Socket.IO packet
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
TypeError: Cannot convert object to primitive value
at Socket.emit (node:events:507:25)
at .../node_modules/socket.io/lib/socket.js:531:14
A fix has been released today (2023/05/22):
socket.io-parser@4.2.3socket.io-parser@3.4.3Another fix has been released for the 3.3.x branch:
| socket.io version | socket.io-parser version | Needs minor update? |
|---------------------|---------------------------------------------------------------------------------------------------------|--------------------------------------|
| 4.5.2...latest | ~4.2.0 (ref) | npm audit fix should be sufficient |
| 4.1.3...4.5.1 | ~4.1.1 (ref) | Please upgrade to socket.io@4.6.x |
| 3.0.5...4.1.2 | ~4.0.3 (ref) | Please upgrade to socket.io@4.6.x |
| 3.0.0...3.0.4 | ~4.0.1 (ref) | Please upgrade to socket.io@4.6.x |
| 2.3.0...2.5.0 | ~3.4.0 (ref) | npm audit fix should be sufficient |
There is no known workaround except upgrading to a safe version.
If you have any questions or comments about this advisory:
Thanks to @rafax00 for the responsible disclosure.