fix(deps): update socket.io to version 2.0.3

[kevinsalter]

Fixes issue #2777

[googlebot]

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed, please reply here (e.g. I signed it!) and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If your company signed a CLA, they designated a Point of Contact who decides which employees are authorized to participate. You may need to contact the Point of Contact for your company and ask to be added to the group of authorized contributors. If you don't know who your Point of Contact is, direct the project maintainer to go/cla#troubleshoot.
• In order to pass this check, please resolve this problem and have the pull request author add another comment and the bot will run again.

[kevinsalter]

I signed it!

[googlebot]

CLAs look good, thanks!

[dignifiedquire]

We require browser support down to IE 7, can you confirm that this is still given with this new socket.io version? otherwise I don't think we can easily upgrade

[tonyd256]

@dignifiedquire I realize this may not be your decision but would you be able to change your support requirements? Looking at a bunch of browser usage statistics, IE 7 doesn't even register anymore as a used browser.
https://www.netmarketshare.com/browser-market-share.aspx?qprid=2&qpcustomd=0
https://www.w3counter.com/trends
And many move available here: https://en.wikipedia.org/wiki/Usage_share_of_web_browsers

Also, even Microsoft themselves don't support it as well as a few versions above it.
https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support

[bengourley]

We require browser support down to IE 7, can you confirm that this is still given with this new socket.io version?

@dignifiedquire as far as I can see, socket.io still supports IE6+7. Their test suite/CI has passing automated tests for both these browsers:

Would be great to get this merged and published!

---

Thanks @kevinsalter for putting this PR together, I'm currently using your fork until this gets merged 👍

[acoard]

Any update on this? The current version of Socket.io being used, 1.7.4, relies on debug@2.3.3 which has a known ReDos vulnerability.

[mattgrande]

The version of socket.io being used also relies on ws@1.1.2 which also has a known DoS vulnerability.

[johnjbarton]

I assume that the CI tests cover the cases important to users so we need to have those pass.

[johnjbarton]

Thanks @kevinsalter, to get around being unable to re-build in appveyor, I stole your thunder in #2880

[kevinsalter]

@johnjbarton all good, happy to see this go out 😄