fix(security): the CVE-2022-2421 - upgrade socket.io-parser to >=4.2.1

Project-wide update of socket-io was necessary to 4.5.4 because of its transitive dependence on socket.io-parser. To completely get rid of all instances of the vulnerable versions, we also have to upgrade the example application's Angular versions: - Upgraded Artillery from v1.7.1 to v1.7.9 Depends on #2229 Fixes #2228 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
hyperledger · Jul 16, 2023 · 1818915 · 1818915
1 parent 759f305
commit 1818915
Show file tree

Hide file tree

Showing 23 changed files with 326 additions and 218 deletions.
diff --git a/examples/cactus-check-connection-ethereum-validator/package.json b/examples/cactus-check-connection-ethereum-validator/package.json
@@ -15,7 +15,7 @@
   },
   "dependencies": {
     "escape-html": "1.0.3",
-    "socket.io": "4.4.1"
+    "socket.io": "4.5.4"
   },
   "devDependencies": {
     "@types/escape-html": "1.0.1",

diff --git a/examples/cactus-example-discounted-asset-trade/package.json b/examples/cactus-example-discounted-asset-trade/package.json
@@ -32,7 +32,7 @@
     "log4js": "6.4.0",
     "morgan": "1.9.1",
     "shelljs": "0.8.5",
-    "socket.io": "4.4.1",
+    "socket.io": "4.5.4",
     "ts-node": "8.9.1",
     "web3": "1.8.1",
     "xmlhttprequest": "1.8.0"

diff --git a/examples/cactus-example-electricity-trade/package.json b/examples/cactus-example-electricity-trade/package.json
@@ -30,7 +30,7 @@
     "log4js": "6.4.0",
     "morgan": "1.9.1",
     "shelljs": "0.8.5",
-    "socket.io": "4.4.1",
+    "socket.io": "4.5.4",
     "ts-node": "8.9.1",
     "web3": "1.8.1",
     "xmlhttprequest": "1.8.0"

diff --git a/examples/cactus-example-electricity-trade/tools/transferNumericAsset/package.json b/examples/cactus-example-electricity-trade/tools/transferNumericAsset/package.json
@@ -15,7 +15,7 @@
     "ethereumjs-tx": "2.1.2",
     "ts-node": "9.1.1",
     "web3": "1.8.1",
-    "socket.io": "4.4.1"
+    "socket.io": "4.5.4"
   },
   "devDependencies": {
     "typescript": "3.9.10"

diff --git a/examples/cactus-example-tcs-huawei/package.json b/examples/cactus-example-tcs-huawei/package.json
@@ -29,7 +29,7 @@
     "log4js": "6.4.0",
     "morgan": "1.9.1",
     "shelljs": "0.8.5",
-    "socket.io": "4.4.1",
+    "socket.io": "4.5.4",
     "ts-node": "8.9.1",
     "web3": "1.7.0",
     "xmlhttprequest": "1.8.0"
@@ -43,4 +43,4 @@
     "eslint-plugin-prettier": "4.0.0",
     "prettier": "2.5.1"
   }
-}
+}
diff --git a/examples/cactus-example-tcs-huawei/tools/transferNumericAsset/package.json b/examples/cactus-example-tcs-huawei/tools/transferNumericAsset/package.json
@@ -15,7 +15,7 @@
     "ethereumjs-tx": "2.1.2",
     "ts-node": "9.1.1",
     "web3": "1.7.0",
-    "socket.io": "4.4.1"
+    "socket.io": "4.5.4"
   },
   "devDependencies": {
     "typescript": "3.9.10"

diff --git a/examples/test-run-transaction/package.json b/examples/test-run-transaction/package.json
@@ -28,7 +28,7 @@
     "log4js": "6.4.0",
     "morgan": "1.9.1",
     "shelljs": "0.8.5",
-    "socket.io": "4.4.1",
+    "socket.io": "4.5.4",
     "ts-node": "8.9.1",
     "web3": "1.7.0",
     "xmlhttprequest": "1.8.0"

diff --git a/extensions/cactus-plugin-htlc-coordinator-besu/package.json b/extensions/cactus-plugin-htlc-coordinator-besu/package.json
@@ -69,14 +69,14 @@
     "joi": "14.3.1",
     "openapi-types": "7.0.1",
     "prom-client": "13.1.0",
-    "socket.io-client": "4.1.3",
+    "socket.io-client": "4.5.4",
     "typescript-optional": "2.0.1"
   },
   "devDependencies": {
     "@hyperledger/cactus-plugin-keychain-memory": "2.0.0-alpha.1",
     "@hyperledger/cactus-test-tooling": "2.0.0-alpha.1",
     "@types/express": "4.17.8",
-    "socket.io": "4.4.1"
+    "socket.io": "4.5.4"
   },
   "engines": {
     "node": ">=10",

diff --git a/packages-python/cactus_validator_socketio_indy/testcli/package.json b/packages-python/cactus_validator_socketio_indy/testcli/package.json
@@ -4,6 +4,6 @@
   "private": true,
   "dependencies": {
     "jsonwebtoken": "8.5.1",
-    "socket.io-client": "4.1.3"
+    "socket.io-client": "4.5.4"
   }
 }
diff --git a/packages-python/cactus_validator_socketio_iroha/testcli/package.json b/packages-python/cactus_validator_socketio_iroha/testcli/package.json
@@ -5,6 +5,6 @@
   "dependencies": {
     "json-bigint": "1.0.0",
     "jsonwebtoken": "8.5.1",
-    "socket.io-client": "4.1.3"
+    "socket.io-client": "4.5.4"
   }
 }
diff --git a/packages/cactus-cmd-api-server/package.json b/packages/cactus-cmd-api-server/package.json
@@ -86,8 +86,8 @@
     "run-time-error": "1.4.0",
     "rxjs": "7.8.1",
     "semver": "7.5.2",
-    "socket.io": "4.4.1",
-    "socket.io-client": "4.4.1",
+    "socket.io": "4.5.4",
+    "socket.io-client": "4.5.4",
     "typescript-optional": "2.0.1",
     "uuid": "8.3.2"
   },
@@ -110,7 +110,7 @@
     "@types/semver": "7.3.8",
     "@types/uuid": "8.3.1",
     "@types/xml2js": "0.4.9",
-    "artillery": "1.7.2",
+    "artillery": "1.7.9",
     "http-status-codes": "2.1.4"
   },
   "engines": {

diff --git a/packages/cactus-cmd-socketio-server/package.json b/packages/cactus-cmd-socketio-server/package.json
@@ -31,8 +31,8 @@
     "log4js": "6.4.1",
     "morgan": "1.10.0",
     "shelljs": "0.8.5",
-    "socket.io": "4.4.1",
-    "socket.io-client": "4.1.3",
+    "socket.io": "4.5.4",
+    "socket.io-client": "4.5.4",
     "web3": "1.6.0",
     "xmlhttprequest": "1.8.0"
   },

diff --git a/packages/cactus-core-api/package.json b/packages/cactus-core-api/package.json
@@ -83,7 +83,7 @@
     "@types/express": "4.17.13",
     "make-dir-cli": "3.0.0",
     "rxjs": "7.8.1",
-    "socket.io": "4.4.1",
+    "socket.io": "4.5.4",
     "typescript-optional": "2.0.1"
   }
 }
diff --git a/packages/cactus-plugin-ledger-connector-besu/package.json b/packages/cactus-plugin-ledger-connector-besu/package.json
@@ -64,7 +64,7 @@
     "prom-client": "13.2.0",
     "run-time-error": "1.4.0",
     "rxjs": "7.8.1",
-    "socket.io-client": "4.1.3",
+    "socket.io-client": "4.5.4",
     "typescript-optional": "2.0.1",
     "web3": "1.5.2",
     "web3-core": "1.5.2",
@@ -76,7 +76,7 @@
     "@hyperledger/cactus-plugin-keychain-memory": "2.0.0-alpha.1",
     "@hyperledger/cactus-test-tooling": "2.0.0-alpha.1",
     "@types/express": "4.17.13",
-    "socket.io": "4.4.1",
+    "socket.io": "4.5.4",
     "web3-core": "1.5.2",
     "web3-eth": "1.5.2"
   },

diff --git a/packages/cactus-plugin-ledger-connector-fabric-socketio/package.json b/packages/cactus-plugin-ledger-connector-fabric-socketio/package.json
@@ -34,7 +34,7 @@
     "protobufjs": "5.0.3",
     "serve-favicon": "2.4.5",
     "shelljs": "0.8.5",
-    "socket.io": "4.4.1"
+    "socket.io": "4.5.4"
   },
   "devDependencies": {
     "@hyperledger/cactus-api-client": "2.0.0-alpha.1",

diff --git a/...cactus-plugin-ledger-connector-fabric-socketio/src/test/typescript/unit-test/package.json b/...cactus-plugin-ledger-connector-fabric-socketio/src/test/typescript/unit-test/package.json
@@ -11,7 +11,7 @@
   "dependencies": {
     "@types/node": "14.18.12",
     "config": "1.31.0",
-    "socket.io-client": "4.1.3",
+    "socket.io-client": "4.5.4",
     "ts-node": "9.1.1",
     "fabric-ca-client": "2.2.10",
     "fabric-network": "2.2.10",

diff --git a/packages/cactus-plugin-ledger-connector-go-ethereum-socketio/package.json b/packages/cactus-plugin-ledger-connector-go-ethereum-socketio/package.json
@@ -28,7 +28,7 @@
     "morgan": "1.10.0",
     "serve-favicon": "2.4.5",
     "shelljs": "0.8.5",
-    "socket.io": "4.4.1",
+    "socket.io": "4.5.4",
     "web3": "1.8.1"
   },
   "devDependencies": {

diff --git a/...s-plugin-ledger-connector-go-ethereum-socketio/src/test/typescript/unit-test/package.json b/...s-plugin-ledger-connector-go-ethereum-socketio/src/test/typescript/unit-test/package.json
@@ -15,7 +15,7 @@
     "ethereumjs-tx": "2.1.2",
     "ts-node": "9.1.1",
     "web3": "1.7.0",
-    "socket.io-client": "4.1.3"
+    "socket.io-client": "4.5.4"
   },
   "devDependencies": {
     "typescript": "3.9.10"

diff --git a/packages/cactus-plugin-ledger-connector-iroha2/package.json b/packages/cactus-plugin-ledger-connector-iroha2/package.json
@@ -67,7 +67,7 @@
     "body-parser": "1.19.0",
     "jest": "28.1.0",
     "jest-extended": "2.0.0",
-    "socket.io": "4.4.1",
+    "socket.io": "4.5.4",
     "uuid": "8.3.2"
   },
   "engines": {
@@ -77,4 +77,4 @@
   "publishConfig": {
     "access": "public"
   }
-}
+}
diff --git a/packages/cactus-plugin-ledger-connector-sawtooth-socketio/package.json b/packages/cactus-plugin-ledger-connector-sawtooth-socketio/package.json
@@ -27,7 +27,7 @@
     "morgan": "1.10.0",
     "serve-favicon": "2.4.5",
     "shelljs": "0.8.5",
-    "socket.io": "4.4.1",
+    "socket.io": "4.5.4",
     "xmlhttprequest": "1.8.0"
   },
   "devDependencies": {

diff --git a/packages/cactus-plugin-ledger-connector-tcs-huawei-socketio/package.json b/packages/cactus-plugin-ledger-connector-tcs-huawei-socketio/package.json
@@ -24,10 +24,10 @@
     "morgan": "1.10.0",
     "serve-favicon": "2.4.5",
     "shelljs": "0.8.5",
-    "socket.io": "4.4.1",
+    "socket.io": "4.5.4",
     "xmlhttprequest": "1.8.0"
   },
   "devDependencies": {
     "@types/config": "0.0.41"
   }
-}
+}
diff --git a/packages/cactus-plugin-odap-hermes/package.json b/packages/cactus-plugin-odap-hermes/package.json
@@ -61,7 +61,7 @@
     "crypto-js": "4.0.0",
     "knex": "2.4.0",
     "secp256k1": "4.0.2",
-    "socket.io": "4.4.1",
+    "socket.io": "4.5.4",
     "sqlite3": "5.1.5",
     "typescript-optional": "2.0.1",
     "web3": "1.5.2",