chore(deps): update dependency ws to v8.17.1 [security] #102
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
8.5.0
->8.17.1
GitHub Vulnerability Alerts
CVE-2024-37890
Impact
A request with a number of headers exceeding the
server.maxHeadersCount
threshold could be used to crash a ws server.Proof of concept
Patches
The vulnerability was fixed in [email protected] (websockets/ws@e55e510) and backported to [email protected] (websockets/ws@22c2876), [email protected] (websockets/ws@eeb76d3), and [email protected] (websockets/ws@4abd8f6)
Workarounds
In vulnerable versions of ws, the issue can be mitigated in the following ways:
--max-http-header-size=size
and/or themaxHeaderSize
options so that no more headers than theserver.maxHeadersCount
limit can be sent.server.maxHeadersCount
to0
so that no limit is applied.Credits
The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.
References
Release Notes
websockets/ws (ws)
v8.17.1
Compare Source
Bug fixes
A request with a number of headers exceeding the[
server.maxHeadersCount
][server.maxHeadersCount]threshold could be used to crash a ws server.
The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.
In vulnerable versions of ws, the issue can be mitigated in the following ways:
[
--max-http-header-size=size
][--max-http-header-size=size] and/or the [maxHeaderSize
][maxHeaderSize] options sothat no more headers than the
server.maxHeadersCount
limit can be sent.server.maxHeadersCount
to0
so that no limit is applied.v8.17.0
Compare Source
Features
WebSocket
constructor now accepts thecreateConnection
option (#2219).Other notable changes
allowSynchronousEvents
option has been changed totrue
(#2221).This is a breaking change in a patch release. The assumption is that the option
is not widely used.
v8.16.0
Compare Source
Features
autoPong
option (01ba54e
).v8.15.1
Compare Source
Notable changes
allowMultipleEventsPerMicrotask
option has been renamed toallowSynchronousEvents
(4ed7fe5
).This is a breaking change in a patch release that could have been avoided with
an alias, but the renamed option was added only 3 days ago, so hopefully it
hasn't already been widely used.
v8.15.0
Compare Source
Features
allowMultipleEventsPerMicrotask
option (93e3552
).v8.14.2
Compare Source
Bug fixes
swallowed when running tests (
7f4e1a7
).v8.14.1
Compare Source
Bug fixes
fd3c64c
).v8.14.0
Compare Source
Features
WebSocket
constructor now accepts HTTP(S) URLs (#2162).socket
argument ofserver.handleUpgrade()
can now be a genericDuplex
stream (#2165).Other notable changes
v8.13.0
Compare Source
Features
finishRequest
option to support late addition of headers (#2123).v8.12.1
Compare Source
Bug fixes
browser
condition to package.json (#2118).v8.12.0
Compare Source
Features
utf-8-validate@6
(ff63bba
).Other notable changes
buffer.isUtf8()
][buffer.isUtf8()] is now used instead ofutf-8-validate
if available(
42d79f6
).v8.11.0
Compare Source
Features
WebSocket.prototype.addEventListener()
now supports an event listenerspecified as an object with a
handleEvent()
method. (9ab743a
).Bug fixes
WebSocket.prototype.addEventListener()
now adds an event listener only if itis not already in the list of the event listeners for the specified event type
(
1cec17d
).v8.10.0
Compare Source
Features
211d5d3
).v8.9.0
Compare Source
Features
v8.8.1
Compare Source
Bug fixes
Authorization
andCookie
headers are no longer sent if the originalrequest for the opening handshake is sent to an IPC server and the client is
redirected to another IPC server (
bc8bd34
).v8.8.0
Compare Source
Features
WS_NO_BUFFER_UTIL
andWS_NO_UTF_8_VALIDATE
environmentvariables (
becf237
).v8.7.0
Compare Source
Features
them with a custom HTTP response. (
6e5a5ce
).Bug fixes
Upgrade
header field value in the HTTPresponse is not a case-insensitive match for the value "websocket" (
0fdcc0a
).Authorization
andCookie
headers are no longer sent when following aninsecure redirect (wss: to ws:) to the same host (
d68ba9e
).v8.6.0
Compare Source
Features
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.