Skip to content

Bump ws from 8.18.0 to 8.20.1#1473

Merged
zetter-rpf merged 1 commit into
mainfrom
dependabot/npm_and_yarn/ws-8.20.1
May 26, 2026
Merged

Bump ws from 8.18.0 to 8.20.1#1473
zetter-rpf merged 1 commit into
mainfrom
dependabot/npm_and_yarn/ws-8.20.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 20, 2026

Copy link
Copy Markdown
Contributor

Bumps ws from 8.18.0 to 8.20.1.

Release notes

Sourced from ws's releases.

8.20.1

Bug fixes

  • Fixed an uninitialized memory disclosure issue in websocket.close() (c0327ec1).

Providing a TypedArray (e.g. Float32Array) as the reason argument for websocket.close(), rather than the supported string or Buffer types, caused uninitialized memory to be disclosed to the remote peer.

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer(
{ port: 0, skipUTF8Validation: true },
function () {
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port}, {
skipUTF8Validation: true
});
ws.on('close', function (code, reason) {
  deepStrictEqual(reason, Buffer.alloc(80));
});

}
);
wss.on('connection', function (ws) {
ws.close(1000, new Float32Array(20));
});

The issue was privately reported by Nikita Skovoroda.

8.20.0

Features

  • Added exports for the PerMessageDeflate class and utilities for the Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1f).

8.19.0

Features

  • Added the closeTimeout option (#2308).

Bug fixes

  • Handled a forthcoming breaking change in Node.js core (19984854).

... (truncated)

Commits
  • 5d9b316 [dist] 8.20.1
  • c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
  • ce2a3d6 [ci] Test on node 26
  • 58e45b8 [ci] Do not test on node 25
  • 5f26c24 [ci] Run the lint step on node 24
  • 8439255 [dist] 8.20.0
  • d3503c1 [minor] Export the PerMessageDeflate class and header utils
  • 3ee5349 [api] Convert the isServer and maxPayload parameters to options
  • 91707b4 [doc] Add missing space
  • 8b55319 [pkg] Update eslint to version 10.0.1
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [ws](https://github.com/websockets/ws) from 8.18.0 to 8.20.1.
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.18.0...8.20.1)

---
updated-dependencies:
- dependency-name: ws
  dependency-version: 8.20.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Copilot AI review requested due to automatic review settings May 20, 2026 10:03
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 20, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stale comment

No blocking issues found.

Security

  • This bump is a net security improvement. Upstream ws 8.20.1 fixes GHSA-58qx-3vcg-4xpx / CVE-2026-45736, an uninitialized memory disclosure in websocket.close() when an unsupported TypedArray is passed as the close reason.
  • I did not find any new packages or expanded dependency surface in this PR: the diff is limited to yarn.lock, and the lockfile still resolves the same ws dependency paths.
  • In this repository, ws is not imported directly by application code. The resolved consumers are tooling/runtime dependencies (webpack-dev-server, jsdom, and webpack-bundle-analyzer).

Safety Of Merging

  • Upstream changes between 8.18.0 and 8.20.1 are mostly additive or bug-fix oriented: a new closeTimeout option, some extra exports, a Node.js compatibility fix, and the security fix above.
  • The one behavior tightening worth noting is that unsupported close reasons are no longer silently accepted in the vulnerable path. Code that incorrectly passes a non-Uint8Array typed array to websocket.close() could now fail differently. I did not find any direct ws usage in this repo, so that risk looks low here.
  • Because this is an indirect dependency update with no app-source changes, merge risk is primarily around dev/test infrastructure rather than user-facing runtime behavior.

Recommendation

  • Merge with caution: I recommend merging once the PR's test-cypress GitHub check completes successfully.
  • If that check goes green, this looks like a worthwhile security maintenance update with low repository-specific regression risk.

Test Results

Local on this agent:

  • yarn install --immutable
  • yarn lint
  • CI=true yarn run test --coverage --maxWorkers=4 --workerThreads=true --reporters=default --reporters=jest-junit --reporters=jest-github-actions-reporter ✅ (92 suites passed, 835 tests passed)
  • Local Cypress: not runnable in this cloud environment. yarn exec cypress run --config-file cypress.config.mjs --browser electron failed because the Cypress 14.5.4 desktop binary is not installed in the agent cache, and yarn exec cypress install did not provision it here.

GitHub checks at review time:

  • lint
  • test
  • test-cypress ⏳ still running
Open in Web View Automation 

Sent by Cursor Automation: Editor-UI - Tests Dependabot PRs

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No blocking findings.

Security

  • This bump resolves the upstream ws uninitialized memory disclosure fixed in 8.20.1 (reported as CVE-2026-45736). In affected versions, calling websocket.close() with an unsupported TypedArray reason could leak uninitialized memory to the remote peer.
  • I did not find any new supply-chain expansion in this PR: it is a lockfile-only update and still resolves to a single ws package, now unified at 8.20.1.

Safety of merging

  • In this repository, ws is not imported directly. yarn why ws shows it is only pulled in transitively by webpack-dev-server, webpack-bundle-analyzer, and jsdom, so the risk is concentrated in local dev/test tooling rather than shipped application code.
  • The upstream changes between 8.18.0 and 8.20.1 are low risk for this repo: 8.19.0 added the optional closeTimeout setting and a Node core compatibility fix, 8.20.0 added new exports, and 8.20.1 fixed the disclosure bug.
  • The main behavior change to be aware of is that invalid websocket.close() reason values now error instead of leaking memory. I found no repository code that imports ws or appears coupled to that API, so I do not see a practical compatibility concern here.

Test results

  • Local: yarn install --immutable passed.
  • Local: yarn lint passed.
  • Local: CI=true yarn run test --coverage --maxWorkers=4 --workerThreads=true --reporters=default --reporters=jest-junit --reporters=jest-github-actions-reporter passed (92/92 suites, 835/835 tests).
  • Local Cypress was not runnable in this cloud agent because the Cypress package is present but the Cypress binary is not installed.
  • GitHub checks at review time: lint passed, test passed, deploy-branch / build-deploy passed, and test-cypress was still in progress.

Recommendation

  • Merge with caution: from a dependency-review standpoint this looks safe and net-positive, but I would wait for the hosted test-cypress job to finish green before merging.
Open in Web View Automation 

Sent by Cursor Automation: Editor-UI - Tests Dependabot PRs

@zetter-rpf zetter-rpf merged commit 3e2fbf0 into main May 26, 2026
8 checks passed
@zetter-rpf zetter-rpf deleted the dependabot/npm_and_yarn/ws-8.20.1 branch May 26, 2026 08:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants