Bump ws from 8.18.0 to 8.20.1#1473
Merged
Merged
Conversation
Bumps [ws](https://github.com/websockets/ws) from 8.18.0 to 8.20.1. - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.18.0...8.20.1) --- updated-dependencies: - dependency-name: ws dependency-version: 8.20.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
Stale comment
No blocking issues found.
Security
- This bump is a net security improvement. Upstream
ws8.20.1fixes GHSA-58qx-3vcg-4xpx /CVE-2026-45736, an uninitialized memory disclosure inwebsocket.close()when an unsupportedTypedArrayis passed as the close reason.- I did not find any new packages or expanded dependency surface in this PR: the diff is limited to
yarn.lock, and the lockfile still resolves the samewsdependency paths.- In this repository,
wsis not imported directly by application code. The resolved consumers are tooling/runtime dependencies (webpack-dev-server,jsdom, andwebpack-bundle-analyzer).Safety Of Merging
- Upstream changes between
8.18.0and8.20.1are mostly additive or bug-fix oriented: a newcloseTimeoutoption, some extra exports, a Node.js compatibility fix, and the security fix above.- The one behavior tightening worth noting is that unsupported close reasons are no longer silently accepted in the vulnerable path. Code that incorrectly passes a non-
Uint8Arraytyped array towebsocket.close()could now fail differently. I did not find any directwsusage in this repo, so that risk looks low here.- Because this is an indirect dependency update with no app-source changes, merge risk is primarily around dev/test infrastructure rather than user-facing runtime behavior.
Recommendation
- Merge with caution: I recommend merging once the PR's
test-cypressGitHub check completes successfully.- If that check goes green, this looks like a worthwhile security maintenance update with low repository-specific regression risk.
Test Results
Local on this agent:
yarn install --immutable✅yarn lint✅CI=true yarn run test --coverage --maxWorkers=4 --workerThreads=true --reporters=default --reporters=jest-junit --reporters=jest-github-actions-reporter✅ (92suites passed,835tests passed)- Local Cypress: not runnable in this cloud environment.
yarn exec cypress run --config-file cypress.config.mjs --browser electronfailed because the Cypress14.5.4desktop binary is not installed in the agent cache, andyarn exec cypress installdid not provision it here.GitHub checks at review time:
lint✅test✅test-cypress⏳ still runningSent by Cursor Automation: Editor-UI - Tests Dependabot PRs
There was a problem hiding this comment.
No blocking findings.
Security
- This bump resolves the upstream
wsuninitialized memory disclosure fixed in8.20.1(reported asCVE-2026-45736). In affected versions, callingwebsocket.close()with an unsupportedTypedArrayreasoncould leak uninitialized memory to the remote peer. - I did not find any new supply-chain expansion in this PR: it is a lockfile-only update and still resolves to a single
wspackage, now unified at8.20.1.
Safety of merging
- In this repository,
wsis not imported directly.yarn why wsshows it is only pulled in transitively bywebpack-dev-server,webpack-bundle-analyzer, andjsdom, so the risk is concentrated in local dev/test tooling rather than shipped application code. - The upstream changes between
8.18.0and8.20.1are low risk for this repo:8.19.0added the optionalcloseTimeoutsetting and a Node core compatibility fix,8.20.0added new exports, and8.20.1fixed the disclosure bug. - The main behavior change to be aware of is that invalid
websocket.close()reasonvalues now error instead of leaking memory. I found no repository code that importswsor appears coupled to that API, so I do not see a practical compatibility concern here.
Test results
- Local:
yarn install --immutablepassed. - Local:
yarn lintpassed. - Local:
CI=true yarn run test --coverage --maxWorkers=4 --workerThreads=true --reporters=default --reporters=jest-junit --reporters=jest-github-actions-reporterpassed (92/92suites,835/835tests). - Local Cypress was not runnable in this cloud agent because the Cypress package is present but the Cypress binary is not installed.
- GitHub checks at review time:
lintpassed,testpassed,deploy-branch / build-deploypassed, andtest-cypresswas still in progress.
Recommendation
Merge with caution: from a dependency-review standpoint this looks safe and net-positive, but I would wait for the hostedtest-cypressjob to finish green before merging.
Sent by Cursor Automation: Editor-UI - Tests Dependabot PRs
zetter-rpf
approved these changes
May 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.


Bumps ws from 8.18.0 to 8.20.1.
Release notes
Sourced from ws's releases.
... (truncated)
Commits
5d9b316[dist] 8.20.1c0327ec[security] Fix uninitialized memory disclosure inwebsocket.close()ce2a3d6[ci] Test on node 2658e45b8[ci] Do not test on node 255f26c24[ci] Run the lint step on node 248439255[dist] 8.20.0d3503c1[minor] Export thePerMessageDeflateclass and header utils3ee5349[api] Convert theisServerandmaxPayloadparameters to options91707b4[doc] Add missing space8b55319[pkg] Update eslint to version 10.0.1Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.