[Snyk] Fix for 2 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • large-file/package.json
  • large-file/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	768/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-ENGINEIO-1056749	Yes	Proof of Concept
	768/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: engine.io

The new version differs by 68 commits.

• 9df38d5 docs: update the list of supported engines
• 078527a feat: disable perMessageDeflate by default
• 54c6797 docs: update the default value of maxHttpBufferSize
• 1916d3a test: remove Node.js 8 from the test matrix
• 14ca7a1 chore: restore package-lock.json file
• ed29e59 chore: bump engine.io-parser version
• 03b4967 chore: bump cookie version
• 09708eb docs(changelog): include changelog for release 3.4.2
• 82cdca2 fix: remove implicit require of uws
• 94623c8 docs(changelog): include changelog for release 3.4.1
• dcdbccb fix: ignore errors when forcefully closing the socket ([Snyk(Unlimited)] Upgrade term-ng from 0.8.1 to 0.8.5 #601)
• 71ece3e chore(release): 4.0.0-alpha.1
• b27215d chore(release): 4.0.0-alpha.0
• 734f9d1 feat: decrease the default value of maxHttpBufferSize
• 61b9492 feat: use the cors module to handle cross-origin requests
• bafe684 refactor: refactor the handling of the options
• 61e639b test: add Node.js 10, 12 and 13 in the test matrix
• a374471 feat: disable cookie by default and add sameSite attribute
• 31ff875 feat: reverse the ping-pong mechanism
• 2ae2520 chore: point towards the v4 branch
• f3c291f feat: generateId method can now return a Promise
• 33564b2 refactor: use prettier to format code
• da93fb6 refactor: migrate to ES6 syntax
• ecfcc69 [chore] Release 3.4.0

See the full diff

Package name: karma

The new version differs by 246 commits.

• 16010eb chore(release): 5.0.8 [skip ci]
• a409696 chore: remove unused `grunt lint` command ([Snyk(Unlimited)] Upgrade sgr-composer from 0.5.0 to 0.5.3 #3515)
• 47f1cb2 fix(dependencies): update to latest log4js major ([Snyk(Unlimited)] Upgrade term-ng from 0.8.1 to 0.8.5 #3514)
• b60391f fix(dependencies): update and unlock socket.io dependency ([Snyk(Unlimited)] Upgrade lodash from 4.17.10 to 4.17.15 #3513)
• 4d49948 chore(release): 5.0.7 [skip ci]
• f399063 fix: detect type for URLs with query parameter or fragment identifier ([Snyk(Unlimited)] Upgrade consolidate from 0.14.5 to 0.15.1 #3509)
• 17b50bc chore(release): 5.0.6 [skip ci]
• 0cd696f fix(dependencies): update production dependencies ([Snyk(Unlimited)] Upgrade @thebespokepixel/string from 0.5.2 to 0.5.10 #3512)
• 7c24a03 chore: fix broken HTML markup in the changelog file ([Snyk(Unlimited)] Upgrade cfenv from 1.1.0 to 1.2.2 #3507)
• fdc4f9d refactor(test): remove no debug matching option ([Snyk(Unlimited)] Upgrade dustjs-helpers from 1.5.0 to 1.7.4 #3504)
• 35d57e9 chore(release): 5.0.5 [skip ci]
• e99da31 fix(cli): restore command line help contents ([Snyk(Unlimited)] Upgrade dustjs-linkedin from 2.5.0 to 2.7.5 #3502)
• 4f2fe56 chore: add Node 14 to the build matrix ([Snyk(Unlimited)] Upgrade st from 0.2.4 to 0.5.5 #3501)
• 100b227 refactor(test): move execKarma into the World ([Snyk(Unlimited)] Upgrade errorhandler from 1.2.0 to 1.5.1 #3500)
• f375884 refactor(test): reduce execKarma to a reasonable size ([Snyk(Unlimited)] Upgrade express from 4.12.4 to 4.17.1 #3496)
• a3d1f11 refactor(test): add common method to start server in background ([Snyk(Unlimited)] Upgrade body-parser from 1.9.0 to 1.19.0 #3495)
• e4a5126 refactor(test): write config file in its own steps ([Snyk(Unlimited)] Upgrade mongoose from 4.2.4 to 4.13.19 #3494)
• 0bd5c2b refactor(test): adjust sandbox folder location and simplify config logic ([Snyk(Unlimited)] Upgrade consolidate from 0.14.5 to 0.15.1 #3493)
• b788f94 refactor(test): extract proxy into a separate Given claim ([Snyk(Unlimited)] Upgrade humanize-ms from 1.0.1 to 1.2.1 #3492)
• 633f833 chore(release): 5.0.4 [skip ci]
• 810489d refactor(test): migrate Proxy to ES2015 ([Snyk(Unlimited)] Upgrade adm-zip from 0.4.7 to 0.4.13 #3490)
• fa95fa3 fix(browser): make sure that empty results array is still recognized ([Snyk(Unlimited)] Upgrade dustjs-linkedin from 2.5.0 to 2.7.5 #3486)
• 255bf67 refactor(test): migrate World to ES2015 ([Snyk(Unlimited)] Upgrade cookie-parser from 1.3.3 to 1.4.4 #3489)
• be5db67 chore(test): remove usage of deprecated defineSupportCode ([Snyk(Unlimited)] Upgrade dustjs-helpers from 1.5.0 to 1.7.4 #3488)

See the full diff

Package name: socket.io

The new version differs by 108 commits.

• 1af3267 chore(release): 3.0.0
• 02951c4 chore(release): 3.0.0-rc4
• 54bf4a4 feat: emit an Error object upon middleware error
• aa7574f feat: serve msgpack bundle
• 64056d6 docs(examples): update TypeScript example
• cacad70 chore(release): 3.0.0-rc3
• d16c035 refactor: rename ERROR to CONNECT_ERROR
• 5c73733 feat: add support for catch-all listeners
• 129c641 feat: make Socket#join() and Socket#leave() synchronous
• 0d74f29 refactor(typings): export Socket class
• 7603da7 feat: remove prod dependency to socket.io-client
• a81b9f3 docs(examples): add example with TypeScript
• 20ea6bd docs(examples): add example with ES modules
• 0ce5b4c chore(release): 3.0.0-rc2
• 8a5db7f refactor: remove duplicate _sockets map
• 2a05042 refactor: add additional typings
• 91cd255 fix: close clients with no namespace
• 58b66f8 refactor: hide internal methods and properties
• 669592d feat: move binary detection back to the parser
• 2d2a31e chore: publish the wrapper.mjs file
• ebb0575 chore(release): 3.0.0-rc1
• c0d171f test: use the reconnect event of the Manager
• 9c7a48d test: use the complete export name
• 4bd5b23 feat: throw upon reserved event names

See the full diff

Package name: socket.io-client

The new version differs by 75 commits.

• b7e07ba chore(release): 3.0.0
• ffa2804 chore(release): 3.0.0-rc4
• 0939395 feat: emit an Error object upon middleware error
• 969debe refactor: rework of the Manager events
• a9127ce chore(release): 3.0.0-rc3
• 13e1db7 refactor: rename ERROR to CONNECT_ERROR
• 55f464f feat: add support for catch-all listeners
• 71d6048 feat: add bundle with msgpack parser
• f3cbe98 refactor: additional typings
• 7ddad2c feat: add volatile events
• b600e78 chore(release): 3.0.0-rc2
• 1789094 feat: move binary detection back to the parser
• c7998d5 refactor: add Manager and Socket typings
• 2c7c230 chore: publish the wrapper.mjs file
• a66473f chore: use socketio GitHub organization
• 946a9f0 chore: fix test script
• a838ff1 chore(release): 3.0.0-rc1
• b68f816 chore: bump debug
• cbabb03 feat: add ES6 module export
• e826992 refactor: remove the 'connect_timeout' event
• b60e909 refactor: remove the 'connecting' event
• 6494f61 feat: throw upon reserved event names
• 132f8ec feat: split the events of the Manager and Socket
• 6cd2e4e refactor: remove the packetBuffer array

See the full diff

Package name: socket.io-parser

The new version differs by 25 commits.

• a8130ce chore: release 3.4.1
• dcb942d fix: prevent DoS (OOM) via massive packets ([Snyk(Unlimited)] Upgrade undefsafe from 1.3.1 to 1.3.1 #95)
• a5d0435 test: transpile to es5 with babelify
• 652402a [chore] Release 3.4.0
• 9b3572e [chore] Bump debug to version 4.1.0 ([Snyk(Unlimited)] Upgrade node-uuid from 1.4.0 to 1.4.8 #92)
• de1fd36 [docs] Fix incorrect socket.io-protocol version in Readme ([Snyk(Unlimited)] Upgrade node-uuid from 1.4.0 to 1.4.8 #89)
• 0de72b9 [chore] Release 3.3.0
• b47efb2 [fix] Remove any reference to the `global` variable
• d95e38f [chore] Update the Makefile
• b57e063 [test] Update travis configuration
• 48f340e [refactor] Fix a small typo and code styling ([Snyk-local] Fix for 38 vulnerable dependencies #88)
• 6e40018 [chore] Release 3.2.0
• 92c530d [fix] Properly handle JSON.stringify errors ([Snyk] Upgrade qs from 0.0.6 to 0.6.6 #84)
• dc4f475 [revert] Move binary detection to the parser
• f115039 [test] Update travis configuration
• 6b356eb [fix] Properly detect typed arrays ([Snyk(Unlimited)] Upgrade node-uuid from 1.4.0 to 1.4.8 #85)
• f9c0625 [chore] Release 3.1.3
• f0a7df1 [fix] Ensure packet data is an array ([Snyk] Upgrade node-uuid from 1.4.0 to 1.4.8 #83)
• 8822578 [fix] Use ArrayBuffer.isView to check for typed arrays ([Snyk] Upgrade qs from 0.0.6 to 0.6.6 #82)
• dd164e6 [chore] Bump debug to version 3.1.0
• f9c3549 [chore] Release 3.1.2
• 425391a [chore] Bump has-binary2 to version 1.0.2 ([Snyk-local] Fix for 1 vulnerable dependencies #70)
• b4f849a [fix] Fix Blob detection for iOS 8/9 ([Snyk-local] Fix for 1 vulnerable dependencies #69)
• eaee5d5 [chore] Release 3.1.1

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic