[Snyk] Upgrade socket.io from 2.3.0 to 2.4.1

[snyk-bot]

Snyk has created this PR to upgrade socket.io from 2.3.0 to 2.4.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 2 versions ahead of your current version.
• The recommended version was released 7 months ago, on 2021-01-07.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Access Restriction Bypass SNYK-JS-XMLHTTPREQUESTSSL-1255647	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Proof of Concept
	Arbitrary Code Injection SNYK-JS-XMLHTTPREQUESTSSL-1082936	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	No Known Exploit
	Insecure Defaults SNYK-JS-SOCKETIO-1024859	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: socket.io

• 2.4.1 - 2021-01-07
• 2.4.0 - 2021-01-04
• 2.3.0 - 2019-09-20

from socket.io GitHub release notes

Commit messages

Package name: socket.io

• e6b8697 chore(release): 2.4.1
• a169050 revert: fix(security): do not allow all origins by default
• 873fdc5 chore(release): 2.4.0
• f78a575 fix(security): do not allow all origins by default
• d33a619 fix: properly overwrite the query sent in the handshake
• 3951a79 chore: bump engine.io version
• 6fa026f ci: migrate to GitHub Actions

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs