Bump engine.io from 6.4.1 to 6.4.2 in /js/web by dependabot[bot] · Pull Request #15799 · microsoft/onnxruntime

dependabot · 2023-05-03T22:08:39Z

Bumps engine.io from 6.4.1 to 6.4.2.

Release notes

6.4.2

⚠️ This release contains an important security fix ⚠️

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:
TypeError: Cannot read properties of undefined (reading 'handlesUpgrades')
  at Server.onWebSocket (build/server.js:515:67)
Please upgrade as soon as possible.

Bug Fixes

include error handling for Express middlewares (#674) (9395782)

prevent crash when provided with an invalid query param (fc480b4)

typings: make clientsCount public (#675) (bd6d471)

uws: prevent crash when using with middlewares (8b22162)

Credits

Huge thanks to @tyilo and @cieldeville for helping!

Links

Diff: socketio/engine.io@6.4.1...6.4.2

Client release: -

ws version: ~8.11.0 (no change)

Changelog

Sourced from engine.io's changelog.

6.4.2 (2023-05-02)

⚠️ This release contains an important security fix ⚠️

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:
TypeError: Cannot read properties of undefined (reading 'handlesUpgrades')
  at Server.onWebSocket (build/server.js:515:67)
Please upgrade as soon as possible.

Bug Fixes

include error handling for Express middlewares (#674) (9395782)

prevent crash when provided with an invalid query param (fc480b4)

typings: make clientsCount public (#675) (bd6d471)

uws: prevent crash when using with middlewares (8b22162)

Credits

Huge thanks to @tyilo and @cieldeville for helping!

Dependencies

ws@~8.11.0 (no change)

Commits

95e2153 chore(release): 6.4.2
fc480b4 fix: prevent crash when provided with an invalid query param
0141951 refactor(types): ensure compatibility with Express middlewares
8b22162 fix(uws): prevent crash when using with middlewares
9395782 fix: include error handling for Express middlewares (#674)
911d0e3 refactor: return HTTP 400 upon invalid request overlap
bd6d471 fix(typings): make clientsCount public (#675)
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

fs-eire · 2023-05-03T22:57:04Z

/azp run Linux CPU CI Pipeline, Linux CPU Minimal Build E2E CI Pipeline, Linux GPU CI Pipeline, Linux GPU TensorRT CI Pipeline, Linux OpenVINO CI Pipeline, MacOS CI Pipeline, ONNX Runtime Web CI Pipeline, onnxruntime-binary-size-checks-ci-pipeline, Linux QNN CI Pipeline

fs-eire · 2023-05-03T22:57:30Z

/azp run Windows CPU CI Pipeline, Windows GPU CI Pipeline, Windows GPU TensorRT CI Pipeline, Windows ARM64 QNN CI Pipeline, orttraining-linux-ci-pipeline, orttraining-linux-gpu-ci-pipeline, orttraining-ortmodule-distributed, ONNX Runtime React Native CI Pipeline

azure-pipelines · 2023-05-03T22:57:41Z

Azure Pipelines successfully started running 9 pipeline(s).

azure-pipelines · 2023-05-03T22:57:58Z

Azure Pipelines successfully started running 8 pipeline(s).

fs-eire · 2023-05-03T22:58:34Z

@dependabot squash and merge

Bumps [engine.io](https://github.com/socketio/engine.io) from 6.4.1 to 6.4.2. - [Release notes](https://github.com/socketio/engine.io/releases) - [Changelog](https://github.com/socketio/engine.io/blob/main/CHANGELOG.md) - [Commits](socketio/engine.io@6.4.1...6.4.2) --- updated-dependencies: - dependency-name: engine.io dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>

fs-eire · 2023-05-04T08:14:08Z

/azp run Windows CPU CI Pipeline, Windows GPU CI Pipeline, Windows GPU TensorRT CI Pipeline, Windows ARM64 QNN CI Pipeline, orttraining-linux-ci-pipeline, orttraining-linux-gpu-ci-pipeline, orttraining-ortmodule-distributed, ONNX Runtime React Native CI Pipeline

fs-eire · 2023-05-04T08:14:22Z

/azp run Linux CPU CI Pipeline, Linux CPU Minimal Build E2E CI Pipeline, Linux GPU CI Pipeline, Linux GPU TensorRT CI Pipeline, Linux OpenVINO CI Pipeline, MacOS CI Pipeline, ONNX Runtime Web CI Pipeline, onnxruntime-binary-size-checks-ci-pipeline, Linux QNN CI Pipeline

azure-pipelines · 2023-05-04T08:14:39Z

Azure Pipelines successfully started running 8 pipeline(s).

azure-pipelines · 2023-05-04T08:14:56Z

Azure Pipelines successfully started running 9 pipeline(s).

fs-eire · 2023-05-04T15:10:07Z

@dependabot cancel merge

### Description Cherry-picks 26 commits to the release branch. Most cherry-picks are clean merges. Except: 1. When I got conflicts in cgmanifest.json and download-deps.yml, I choose to ignore the conflicts and regenerate the two files 2. There were some conflicts in cmake/deps.txt, onnxruntime_c_api.cc PR list: [js/webgpu] fix Transpose with non-float tensor (#15819) [js/web] fix terser reserved symbols for worker (#15864) [JSEP] fix constructor for OrtDevice (#15805) Bump engine.io from 6.4.1 to 6.4.2 in /js/web (#15799) Bump engine.io from 6.4.0 to 6.4.2 in /onnxruntime/test/wasm (#15798) [wasm] revert emsdk to v3.1.19 (#15793) [wasm/JSEP] add threaded build to artifacts (#15777) [js/web] add target ort.webgpu.min.js (#15780) update ort extensions to 94142d8391c9791ec71c38336436319a2d4ac7a0 (#15688) fix: setting builder optimization level to TRT 8.6 default (#15897) Adust GetVersionString() GetBuildInfoString() signatures and move them to OrtApi (#15921) Fix segfault for multiple GPU run (regression) (#15823) android package fix (#15999) [CoreML EP] Minor changes to allow CoreML EP to handle more nodes and models. (#15993) Adding support for conv fp16 fusion on Resnet50v1 (#15474) update onnx release 1.14 for docker files (#15680) Avoid generating training documentation during packaging (#15795) Update Conv-Add-Relu Fusion Transformation (#15834) Fix symbolic shape infer empty value_info (#15842) NhwcFusedConv: Add before Activation (#15837) use __hmul2 instead of __hmul2_rn (#15852) change the EP device to default OrtDevice() for memoryType equals CPU Input (#15903) Fixing NhwcFusedConv fp16 (#15950) fix topo sort in quantization tool (#16003) [doc] add LeakyRelu to coreml supported ops (#15944) [DML EP] Add frequent upload heap flushing (#15960) Co-authored-by: Yulong Wang Co-authored-by: dependabot[bot] Co-authored-by: Guenther Schmuelling Co-authored-by: Shalva Mist Co-authored-by: Maximilian Müller Co-authored-by: Dmitri Smirnov Co-authored-by: pengwa Co-authored-by: Ashwini Khade Co-authored-by: Edward Chen Co-authored-by: Jian Chen Co-authored-by: liqun Fu Co-authored-by: Baiju Meswani Co-authored-by: Tianlei Wu Co-authored-by: Chen Fu Co-authored-by: Ye Wang Co-authored-by: cao lei Co-authored-by: Yufeng Li Co-authored-by: Rachel Guo Co-authored-by: Patrice Vignola

### Description Cherry-picks 26 commits to the release branch. Most cherry-picks are clean merges. Except: 1. When I got conflicts in cgmanifest.json and download-deps.yml, I choose to ignore the conflicts and regenerate the two files 2. There were some conflicts in cmake/deps.txt, onnxruntime_c_api.cc PR list: [js/webgpu] fix Transpose with non-float tensor (microsoft#15819) [js/web] fix terser reserved symbols for worker (microsoft#15864) [JSEP] fix constructor for OrtDevice (microsoft#15805) Bump engine.io from 6.4.1 to 6.4.2 in /js/web (microsoft#15799) Bump engine.io from 6.4.0 to 6.4.2 in /onnxruntime/test/wasm (microsoft#15798) [wasm] revert emsdk to v3.1.19 (microsoft#15793) [wasm/JSEP] add threaded build to artifacts (microsoft#15777) [js/web] add target ort.webgpu.min.js (microsoft#15780) update ort extensions to 94142d8391c9791ec71c38336436319a2d4ac7a0 (microsoft#15688) fix: setting builder optimization level to TRT 8.6 default (microsoft#15897) Adust GetVersionString() GetBuildInfoString() signatures and move them to OrtApi (microsoft#15921) Fix segfault for multiple GPU run (regression) (microsoft#15823) android package fix (microsoft#15999) [CoreML EP] Minor changes to allow CoreML EP to handle more nodes and models. (microsoft#15993) Adding support for conv fp16 fusion on Resnet50v1 (microsoft#15474) update onnx release 1.14 for docker files (microsoft#15680) Avoid generating training documentation during packaging (microsoft#15795) Update Conv-Add-Relu Fusion Transformation (microsoft#15834) Fix symbolic shape infer empty value_info (microsoft#15842) NhwcFusedConv: Add before Activation (microsoft#15837) use __hmul2 instead of __hmul2_rn (microsoft#15852) change the EP device to default OrtDevice() for memoryType equals CPU Input (microsoft#15903) Fixing NhwcFusedConv fp16 (microsoft#15950) fix topo sort in quantization tool (microsoft#16003) [doc] add LeakyRelu to coreml supported ops (microsoft#15944) [DML EP] Add frequent upload heap flushing (microsoft#15960) Co-authored-by: Yulong Wang Co-authored-by: dependabot[bot] Co-authored-by: Guenther Schmuelling Co-authored-by: Shalva Mist Co-authored-by: Maximilian Müller Co-authored-by: Dmitri Smirnov Co-authored-by: pengwa Co-authored-by: Ashwini Khade Co-authored-by: Edward Chen Co-authored-by: Jian Chen Co-authored-by: liqun Fu Co-authored-by: Baiju Meswani Co-authored-by: Tianlei Wu Co-authored-by: Chen Fu Co-authored-by: Ye Wang Co-authored-by: cao lei Co-authored-by: Yufeng Li Co-authored-by: Rachel Guo Co-authored-by: Patrice Vignola

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels May 3, 2023

fs-eire added the release:1.15 label May 3, 2023

fs-eire approved these changes May 3, 2023

View reviewed changes

dependabot bot force-pushed the dependabot/npm_and_yarn/js/web/engine.io-6.4.2 branch from d6bcfc6 to fcceb31 Compare May 4, 2023 05:44

fs-eire merged commit 58ee076 into main May 4, 2023

fs-eire deleted the dependabot/npm_and_yarn/js/web/engine.io-6.4.2 branch May 4, 2023 17:06

guschmue added the platform:web issues related to ONNX Runtime web; typically submitted using template label May 8, 2023

snnn added the triage:approved Approved for cherrypicks for release label May 18, 2023

snnn removed triage:approved Approved for cherrypicks for release release:1.15 labels May 19, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Comments

Bump engine.io from 6.4.1 to 6.4.2 in /js/web#15799

Bump engine.io from 6.4.1 to 6.4.2 in /js/web#15799
fs-eire merged 1 commit intomainfrom
dependabot/npm_and_yarn/js/web/engine.io-6.4.2

dependabot bot commented on behalf of github May 3, 2023 •

edited

Loading

Uh oh!

fs-eire commented May 3, 2023

Uh oh!

fs-eire commented May 3, 2023

Uh oh!

azure-pipelines bot commented May 3, 2023

Uh oh!

azure-pipelines bot commented May 3, 2023

Uh oh!

fs-eire commented May 3, 2023

Uh oh!

fs-eire commented May 4, 2023

Uh oh!

fs-eire commented May 4, 2023

Uh oh!

azure-pipelines bot commented May 4, 2023

Uh oh!

azure-pipelines bot commented May 4, 2023

Uh oh!

fs-eire commented May 4, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Comments

Conversation

dependabot bot commented on behalf of github May 3, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

6.4.2

Bug Fixes

Credits

Links

6.4.2 (2023-05-02)

Bug Fixes

Credits

Dependencies

Uh oh!

fs-eire commented May 3, 2023

Uh oh!

fs-eire commented May 3, 2023

Uh oh!

azure-pipelines bot commented May 3, 2023

Uh oh!

azure-pipelines bot commented May 3, 2023

Uh oh!

fs-eire commented May 3, 2023

Uh oh!

fs-eire commented May 4, 2023

Uh oh!

fs-eire commented May 4, 2023

Uh oh!

azure-pipelines bot commented May 4, 2023

Uh oh!

azure-pipelines bot commented May 4, 2023

Uh oh!

fs-eire commented May 4, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

dependabot bot commented on behalf of github May 3, 2023 •

edited

Loading