Skip to content

[Snyk] Upgrade ws from 7.4.6 to 7.5.3 #322

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
snyk-bot wants to merge 1 commit into
base: latest
Choose a base branch
from
Open

[Snyk] Upgrade ws from 7.4.6 to 7.5.3 #322

snyk-bot wants to merge 1 commit into from

Conversation

@snyk-bot
Copy link
Contributor

@snyk-bot snyk-bot commented Aug 3, 2021

Snyk has created this PR to upgrade ws from 7.4.6 to 7.5.3.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 4 versions ahead of your current version.
  • The recommended version was released 24 days ago, on 2021-07-10.
Release notes
Package name: ws
  • 7.5.3 - 2021-07-10

    Bug fixes

    • The WebSocketServer constructor now throws an error if more than one of the
      noServer, server, and port options are specefied (66e58d2).
    • Fixed a bug where a 'close' event was emitted by a WebSocketServer before
      the internal HTTP/S server was actually closed (5a58730).
    • Fixed a bug that allowed WebSocket connections to be established after
      WebSocketServer.prototype.close() was called (772236a).
  • 7.5.2 - 2021-07-04

    Bug fixes

    • The opening handshake is now aborted if the client receives a
      Sec-WebSocket-Extensions header but no extension was requested or if the
      server indicates an extension not requested by the client (aca94c8).
  • 7.5.1 - 2021-06-29

    Bug fixes

    • Fixed an issue that prevented the connection from being closed properly if an
      error occurred simultaneously on both peers (b434b9f).
  • 7.5.0 - 2021-06-16

    Features

    • Some errors now have a code property describing the specific type of error
      that has occurred (#1901).

    Bug fixes

    • A close frame is now sent to the remote peer if an error (such as a data
      framing error) occurs (8806aa9).
    • The close code is now always 1006 if no close frame is received, even if the
      connection is closed due to an error (8806aa9).
  • 7.4.6 - 2021-05-25

    Bug fixes

    • Fixed a ReDoS vulnerability (00c425e).

    A specially crafted value of the Sec-Websocket-Protocol header could be used
    to significantly slow down a ws server.

    for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
    const value = 'b' + ' '.repeat(length) + 'x';
    const start = process.hrtime.bigint();

    value.trim().split(/ , /);

    const end = process.hrtime.bigint();

    console.log('length = %d, time = %f ns', length, end - start);
    }

    The vulnerability was responsibly disclosed along with a fix in private by
    Robert McLaughlin from University of California, Santa Barbara.

    In vulnerable versions of ws, the issue can be mitigated by reducing the maximum
    allowed length of the request headers using the --max-http-header-size=size
    and/or the maxHeaderSize options.

from ws GitHub release notes
Commit messages
Package name: ws
  • 4c1849a [dist] 7.5.3
  • 772236a [fix] Abort the handshake if the server is closing or closed
  • 5a58730 [fix] Emit the `'close'` event after the server is closed
  • ea63b29 [minor] Fix typo
  • 66e58d2 [fix] Make the `{noS,s}erver`, and `port` options mutually exclusive
  • ecb9d9e [minor] Improve JSDoc-inferred types (#1912)
  • 0ad1f9d [dist] 7.5.2
  • aca94c8 [fix] Abort the handshake if an unexpected extension is received
  • 38c6c73 [dist] 7.5.1
  • 2916006 [test] Add more tests for `WebSocket.prototype.close()`
  • b434b9f [fix] Fix close edge cases
  • c3fdc99 [minor] Fix misleading comment
  • 145480a [test] Fix repeated typo
  • e3f0c17 [dist] 7.5.0
  • 1d3f4cb [doc] Fix anchor tags for error codes
  • 6eea0d4 [doc] Fix typo
  • bb5d44b [doc] Sort error codes alphabetically
  • c6e3080 [minor] Attach error codes to all receiver errors (#1901)
  • 074e6a8 [fix] Don't call `ws.terminate()` unconditionally in `duplex._destroy()`
  • 8806aa9 [fix] Close the connection cleanly when an error occurs
  • 05b8ccd [doc] Fix broken link (#1897)
  • 03a7078 [doc] Remove unsafe regex from code snippet
  • 7ee3115 [doc] Add logo to coverage badge
  • edff6bb [test] Fix nit

Compare

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@snyk-bot