Bump engine.io and lineman

[dependabot]

Bumps engine.io to 3.6.1 and updates ancestor dependency lineman. These dependencies need to be updated together.

Updates engine.io from 1.8.5 to 3.6.1

Release notes

Sourced from engine.io's releases.

3.6.1

⚠️ This release contains an important security fix ⚠️

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

Please upgrade as soon as possible.

Bug Fixes

• catch errors when destroying invalid upgrades (83c4071)

3.6.0

Bug Fixes

• add extension in the package.json main entry (#608) (3ad0567)
• do not reset the ping timer after upgrade (1f5d469)

Features

• decrease the default value of maxHttpBufferSize (58e274c)

This change reduces the default value from 100 mb to a more sane 1 mb.

This helps protect the server against denial of service attacks by malicious clients sending huge amounts of data.

See also: GHSA-j4f2-536g-r55m

• increase the default value of pingTimeout (f55a79a)

Links

• Diff: socketio/engine.io@3.5.0...3.6.0
• Client release: -

... (truncated)

Changelog

Sourced from engine.io's changelog.

3.6.1 (2022-11-20)

⚠️ This release contains an important security fix ⚠️

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

Please upgrade as soon as possible.

Bug Fixes

• catch errors when destroying invalid upgrades (83c4071)

6.2.1 (2022-11-20)

⚠️ This release contains an important security fix ⚠️

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

Please upgrade as soon as possible.

Bug Fixes

... (truncated)

Commits

• 67a3a87 chore(release): 3.6.1
• 83c4071 fix: catch errors when destroying invalid upgrades
• f62f265 chore(release): 3.6.0
• f55a79a feat: increase the default value of pingTimeout
• 1f5d469 fix: do not reset the ping timer after upgrade
• 3ad0567 fix: add extension in the package.json main entry (#608)
• 58e274c feat: decrease the default value of maxHttpBufferSize
• b9dee7b chore(release): 3.5.0
• 19cc582 feat: add support for all cookie options
• 5ad2736 feat: disable perMessageDeflate by default
• Additional commits viewable in compare view

Updates lineman from 0.37.0 to 0.39.0

Release notes

Sourced from lineman's releases.

Update more things

• Get off our fork of grunt-contrib-watch
• Update our fetcher gem to latest to avoid dragging in ancient coffee-script package
• update sass again

Keep Working A While Longer Please Release

Lineman is effectively unmaintained at this point, but still seems to work fine in the handful of places we run it.

This release is an attempt to stave off the inevitable march of progress by upgrading all of our Lineman's dependencies to their latest releases (including the ones we own like grunt-watch-nospawn and grunt-asset-fingerprint). It also switches from grunt-concat-sourcemap to grunt-contrib-concat, switches to a modern/working sass plugin. The only dependency we weren't able to get to latest was express@4, but only because I didn't have enough time to ensure that the proxy API feature would continue to work as it had been previously.

As a result, after upgrading to this version of Lineman and running on Node 14, you should expect some deprecation warnings:

connect deprecated multipart: use parser (multiparty, busboy, formidable) npm module instead ../../../../linemanjs/lineman/node_modules/connect/lib/middleware/bodyParser.js:56:20
connect deprecated limit: Restrict request size at location of read ../../../../linemanjs/lineman/node_modules/connect/lib/middleware/multipart.js:86:15

And:

(node:28158) [DEP0066] DeprecationWarning: OutgoingMessage.prototype._headers is deprecated

Issues you might encounter

• For some reason, this upgrade may require you to install coffeescript directly to your project in order to load; since Lineman uses Grunt to bootstrap itself and the final version of Grunt required users to install coffeescript directly themselves even if it was transitively installed under lineman, will fail and tell you to npm i -D coffeescript. If you do so, it should start working again. ¯_(ツ)_/¯

Commits

• 61d6815 0.39.0
• f256192 update sass, switch to grunt-contrib-watch, update fetcher
• 98985ce 0.38.0
• e9b4b0b enable support for newer js versions (as of 2016 at least, heh)
• 3ba1ad4 switch from forked concat task to official, more-recently-updated one (fixes ...
• 5d5c53e upgrade to newly updated grunt-asset-fingerprint
• 4419e3a get the two crappy unit tests to pass
• 023cdb5 i don't see how this EVER worked
• 16ff5e4 fix apparently permanent bug in thinking this was testing truthiness and not ...
• 11ff363 start upgrading lineman's deps
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.