Skip to content

chore(deps): update dependency sse-channel to v4.0.1 [security]#1216

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-sse-channel-vulnerability
Open

chore(deps): update dependency sse-channel to v4.0.1 [security]#1216
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-sse-channel-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 6, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
sse-channel 4.0.04.0.1 age confidence

sse-channel: SSE Injection via unsanitized event fields

CVE-2026-44217 / GHSA-84hm-wfh8-c5pg

More information

Details

Impact

Implementations that allows user-provided values to be passed to event, retry or id fields would be susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream.

  • Event Spoofing: Attacker can inject arbitrary SSE events into the stream
  • Client-side Manipulation: Injected events can trigger unintended behavior in frontend JavaScript EventSource listeners
  • Data Integrity: Consumers of the SSE stream cannot distinguish injected events from legitimate ones
Patches

Patch available in v4.0.1.

Workarounds

Do not allow user data to control event, retry or id fields, and if you must - sanitize the input before passing it to sse-channel, stripping any newlines.

Resources

https://github.com/rexxars/sse-channel/issues/42

Severity

  • CVSS Score: 6.6 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

rexxars/sse-channel (sse-channel)

v4.0.1

Compare Source

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate using a curated preset maintained by Sanity. View repository job log here

@renovate renovate Bot requested a review from a team May 6, 2026 23:29
@vercel
Copy link
Copy Markdown

vercel Bot commented May 6, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
tsdocs-client Ignored Ignored May 28, 2026 11:48pm

Request Review

@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 6, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednpm/​sse-channel@​4.0.0 ⏵ 4.0.180 -3100 +210087 +9100

View full report

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 6, 2026
edited
Loading

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 88.74% 3973 / 4477
🔵 Statements 88.74% 3973 / 4477
🔵 Functions 86.3% 315 / 365
🔵 Branches 90.76% 1199 / 1321
File CoverageNo changed files found.
Generated in workflow #4339 for commit 8403781 by the Vitest Coverage Report Action

@renovate renovate Bot force-pushed the renovate/npm-sse-channel-vulnerability branch from a001ce7 to 8403781 Compare May 28, 2026 23:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

🤖 bot 📦 deps

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants