Bump engine.io and browser-sync

[dependabot]

Bumps engine.io to 6.2.1 and updates ancestor dependency browser-sync. These dependencies need to be updated together.

Updates engine.io from 3.1.5 to 6.2.1

Release notes

Sourced from engine.io's releases.

6.2.1

⚠️ This release contains an important security fix ⚠️

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

Please upgrade as soon as possible.

Bug Fixes

• catch errors when destroying invalid upgrades (#658) (425e833)

6.2.0

Features

• add the "maxPayload" field in the handshake details (088dcb4)

So that clients in HTTP long-polling can decide how many packets they have to send to stay under the maxHttpBufferSize value.

This is a backward compatible change which should not mandate a new major revision of the protocol (we stay in v4), as we only add a field in the JSON-encoded handshake data:

0{"sid":"lv_VI97HAXpY6yYWAAAC","upgrades":["websocket"],"pingInterval":25000,"pingTimeout":5000,"maxPayload":1000000}

Links

• Diff: socketio/engine.io@6.1.3...6.2.0
• Client release: 6.2.0
• ws version: ~8.2.3

6.1.3

Bug Fixes

• typings: allow CorsOptionsDelegate as cors options (#641) (a463d26)
• uws: properly handle chunked content (#642) (3367440)

... (truncated)

Changelog

Sourced from engine.io's changelog.

6.2.1 (2022-11-20)

⚠️ This release contains an important security fix ⚠️

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

Please upgrade as soon as possible.

Bug Fixes

• catch errors when destroying invalid upgrades (#658) (425e833)

3.6.0 (2022-06-06)

Bug Fixes

• add extension in the package.json main entry (#608) (3ad0567)
• do not reset the ping timer after upgrade (1f5d469), closes socketio/socket.io-client-swift#1309

Features

• decrease the default value of maxHttpBufferSize (58e274c)

This change reduces the default value from 100 mb to a more sane 1 mb.

This helps protect the server against denial of service attacks by malicious clients sending huge amounts of data.

See also: GHSA-j4f2-536g-r55m

• increase the default value of pingTimeout (f55a79a)

... (truncated)

Commits

• 24b847b chore(release): 6.2.1
• 425e833 fix: catch errors when destroying invalid upgrades (#658)
• 99adb00 chore(deps): bump xmlhttprequest-ssl and engine.io-client in /examples/latenc...
• d196f6a chore(deps): bump minimatch from 3.0.4 to 3.1.2 (#660)
• 7c1270f chore(deps): bump nanoid from 3.1.25 to 3.3.1 (#659)
• 535a01d ci: add Node.js 18 in the test matrix
• 1b71a6f docs: remove "Vanilla JS" highlight from README (#656)
• 917d1d2 refactor: replace deprecated String.prototype.substr() (#646)
• 020801a chore: add changelog for version 3.6.0
• ed1d6f9 test: make test script work on Windows (#643)
• Additional commits viewable in compare view

Updates browser-sync from 2.24.4 to 2.27.10

Release notes

Sourced from browser-sync's releases.

2.27.9

What's Changed

• fix(cli): Where's the command help? fixes #1929 by @​shakyShane in BrowserSync/browser-sync#1945

A bug prevented the help output from displaying - it was introduced when the CLI parser yargs was updated, and is now fixed :)

Full Changelog: BrowserSync/browser-sync@v2.27.8...v2.27.9

2.27.8

This release upgrades Socket.io (client+server) to the latest versions - solving the following issues, and silencing security warning :)

PR:

• BrowserSync/browser-sync@58ab4ab

Resolved Issues:

• BrowserSync/browser-sync#1850
• BrowserSync/browser-sync#1892
• BrowserSync/browser-sync#1925
• BrowserSync/browser-sync#1926
• BrowserSync/browser-sync#1933

Thanks to @​lachieh for the original PR, which helped me land this fix

upgraded dependencies

This is a maintenance release to address 2 security related issues (socket.io & axios)

Happy Browsersync'in :)

v2.26.0

these notes describe the change from 2.24.6 -> 2.26.0

fixes

• Removing default logger prefix [BS] - fixes #1607 257fba6d3fa3b4e77f526912a395625efcdebcb3
• case-insensitive matching on domain key in proxy responses dacfc8bcedbd1f8e27a3ad4944aee44ff7f73533
• bump chokidar fixing fsevents build - closes #1613 11729cc0a398d276a66d1883d1273f2fd3c1d36e
• Unexpected Page Reload after Pausing in Debugger - fixes #1591 06ee1b7db8d3090f693dc8ba0650f3e7022463ae
• scroll - add missing init method for window.name method of scroll restoring - fixes #1586 #1457 #1457 9e96603e2f8e859a5ae6fe921c7380787c706896
• proxy Port gets unnecesarily rewritten in Proxy - fixes #1577 48286e0d09e35b06b5736be674ffe52105ba0a86

chore

• move cypress to top-level dep 0d4ab8156b30bbdafbb202ee0f597d4ea5dc4d0b
• package-lock files 900e23e321ffe2110068e3194b9d00d988ffb721
• change API of option transforms ef12e9aa576d4395db9353d80761487ff4f82206

lerna

• initial version 7c0ad4eaffbd1e1b9760277cce193692f0577bcd
• more path updates c108af8ed973c74cdfecbf3cfb104e6b6c5e9bde

... (truncated)

Commits

• f6965a6 v2.27.10
• e6c7bed Updated portscanner to 2.2.0 (#1960)
• 6a587ec fix readme's
• 91258ae Merge branch 'browser-sync-1946-esbuild'
• f48d6b4 👋 app veyor
• 30c24dc Merge pull request #1947
• 9d24de5 drop webpack from UI
• 7a00341 build client with esbuild
• c30868a v2.27.9
• 9b5fcdc fix(cli): Where's the command help? fixes #1929 (#1945)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.