refactor(server): Update ws to address CVE (#22845)

## Description

Updates dependencies to get to [email protected] (or [email protected]) to address
https://nvd.nist.gov/vuln/detail/CVE-2024-37890. Updating socket.io to
4.8.0 was necessary in some cases get the necessary dependency ranges.

socket.io 4.7.5-4.8.0 is a minor semver update but contains [a breaking
change in the type of the `close()`
function](https://github.com/socketio/socket.io/pull/4971/files), so two
places had to be updated to account for that.

Author: alexvy86

server/gitrest/pnpm-lock.yaml

@@ -75,7 +75,7 @@
 		"lodash": "^4.17.21",
 		"sillyname": "^0.1.0",
 		"uuid": "^9.0.0",
-		"ws": "^7.4.6"
+		"ws": "^7.5.10"
 	},
 	"devDependencies": {
 		"@fluid-tools/build-cli": "^0.38.0",

server/historian/pnpm-lock.yaml

@@ -83,7 +83,7 @@
 		"sillyname": "^0.1.0",
 		"uuid": "^9.0.0",
 		"winston": "^3.6.0",
-		"ws": "^7.4.6"
+		"ws": "^7.5.10"
 	},
 	"devDependencies": {
 		"@fluid-tools/build-cli": "^0.38.0",

server/routerlicious/packages/memory-orderer/package.json

@@ -72,8 +72,8 @@
 		"nconf": "^0.12.0",
 		"notepack.io": "^2.3.0",
 		"serialize-error": "^8.1.0",
-		"socket.io": "^4.7.5",
-		"socket.io-adapter": "^2.5.4",
+		"socket.io": "^4.8.0",
+		"socket.io-adapter": "^2.5.5",
 		"socket.io-parser": "^4.2.4",
 		"uuid": "^9.0.0",
 		"winston": "^3.6.0"

server/routerlicious/packages/routerlicious-base/package.json

@@ -321,8 +321,12 @@ class SocketIoServer implements core.IWebSocketServer {
 			}
 		}
 
-		this.io.close();
-		await sleep(3000); // Give time for any  disconnect handlers to execute before closing Redis resources
+		await this.io.close();
+		// Give time for any disconnect handlers to execute before closing Redis resources
+		// Note: on 2024-10-18, with the update to [email protected], the close() call above became async.
+		// Maybe this sleep can be removed now? Not familiar enough with server to try to do it.
+		// See https://github.com/socketio/socket.io/pull/4971 for details on the change.
+		await sleep(3000);
 		await Promise.all([
 			this.redisClientConnectionManagerForPub.getRedisClient().quit(),
 			this.redisClientConnectionManagerForSub.getRedisClient().quit(),

server/routerlicious/packages/services-shared/package.json

@@ -71,7 +71,7 @@
 		"lru-cache": "^6.0.0",
 		"mongodb": "4.17.1",
 		"nconf": "^0.12.0",
-		"socket.io": "^4.7.5",
+		"socket.io": "^4.8.0",
 		"telegrafjs": "^0.1.3",
 		"uuid": "^9.0.0",
 		"winston": "^3.6.0"

server/routerlicious/packages/services-shared/src/socketIoServer.ts

@@ -65,7 +65,7 @@
 		"lodash": "^4.17.21",
 		"morgan": "^1.8.1",
 		"nconf": "^0.12.0",
-		"socket.io": "^4.7.5",
+		"socket.io": "^4.8.0",
 		"split": "^1.0.0",
 		"uuid": "^9.0.0",
 		"winston": "^3.6.0"

server/routerlicious/packages/services/package.json

@@ -70,8 +70,8 @@ class SocketIoServer extends EventEmitter implements IWebSocketServer {
 		});
 	}
 
-	public async close(): Promise<void> {
-		await new Promise<void>((resolve) => this.io.close(() => resolve()));
+	public close(): Promise<void> {
+		return this.io.close();
 	}
 }