Skip to content
This repository has been archived by the owner on Mar 27, 2022. It is now read-only.

[Security] Bump ws from 5.2.2 to 5.2.3 #234

Closed
wants to merge 158 commits into from
Closed

[Security] Bump ws from 5.2.2 to 5.2.3 #234

wants to merge 158 commits into from

Conversation

dependabot-preview[bot]
Copy link
Contributor

Bumps ws from 5.2.2 to 5.2.3. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

ReDoS in Sec-Websocket-Protocol header

Impact

A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server.

Proof of concept

for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
  const value = 'b' + ' '.repeat(length) + 'x';
  const start = process.hrtime.bigint();
value.trim().split(/ *, */);
const end = process.hrtime.bigint();
console.log('length = %d, time = %f ns', length, end - start);
}

Patches

... (truncated)

Affected versions: < 5.2.3

Release notes

Sourced from ws's releases.

5.2.3

Bug fixes

  • Backported 00c425ec to the 5.x release line (76d47c14).
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

awibox and others added 30 commits January 29, 2020 23:29
@awibox
Initial commit
3758200
@awibox
#1: the environment was renamed
0ad9124
@awibox
#2: text variables was deleted
0c9dc75
@awibox
Merge pull request #3 from awibox/develop
1059d05 
#2: text variables was deleted
@awibox
#4: consent button was created
f91006a
@awibox
Merge pull request #5 from awibox/develop
7ba4eb8 
#4: consent button was created
@awibox
#6: consent function was added
3437389
@awibox
Merge pull request #7 from awibox/develop
69bf865 
#6: consent function was added
@awibox
#8: information in the README.md was updated
9fa8e68
@awibox
Merge pull request #9 from awibox/develop
9296cc9 
#8: information in the README.md was updated
@awibox
#10: The ability to customize button styles has been added
2c202a4
@awibox
Merge pull request #11 from awibox/develop
92fc78b 
#10: The ability to customize button styles has been added
@awibox
#10: Problem with buttonClassName was fixed and test for that has bee…
ff28a43 
…n added
@awibox
Merge pull request #12 from awibox/develop
5be278d 
#10: Problem with buttonClassName was fixed and test for that has bee…
@awibox
#13: Adaptation for mobile devices
7b0d274
@awibox
Merge pull request #14 from awibox/develop
d5cb9d2 
#13: Adaptation for mobile devices
@awibox
#15: combo-storage was updated to 2.0.0
0210beb
@awibox
Merge pull request #16 from awibox/develop
dd942cf 
#15: combo-storage was updated to 2.0.0
@awibox
#17: Solving a problem with running tests during a build
e8a25b4
@awibox
Merge pull request #18 from awibox/develop
dea96c0 
#17: Solving a problem with running tests during a build
@awibox
#19: problem with combo-storage was fixed
0abb545
@awibox
Merge pull request #20 from awibox/develop
8b990fe 
#19: problem with combo-storage was fixed
@awibox
#19: dist dir was updated
ced312d
@awibox
#19: coveralls settings were updated
38390a1
@awibox
Merge pull request #21 from awibox/develop
55400f4 
#19: dist dir was updated
@awibox
#23: peerDependencies for React
a36340d
@awibox
Merge pull request #24 from awibox/develop
7aef5c3 
#23: peerDependencies for React
@dependabot
Bump acorn from 5.7.3 to 5.7.4
bb1a878 
Bumps [acorn](https://github.com/acornjs/acorn) from 5.7.3 to 5.7.4.
- [Release notes](https://github.com/acornjs/acorn/releases)
- [Commits](acornjs/acorn@5.7.3...5.7.4)

Signed-off-by: dependabot[bot] <support@github.com>
@awibox
Merge pull request #25 from awibox/dependabot/npm_and_yarn/acorn-5.7.4
7d96bd5 
Bump acorn from 5.7.3 to 5.7.4
@awibox
#26: Updating dependencies
d974f90
dependabot-preview bot and others added 25 commits March 24, 2021 07:29
@dependabot-preview
Bump eslint-plugin-react from 7.20.6 to 7.23.1
ad69cfc 
Bumps [eslint-plugin-react](https://github.com/yannickcr/eslint-plugin-react) from 7.20.6 to 7.23.1.
- [Release notes](https://github.com/yannickcr/eslint-plugin-react/releases)
- [Changelog](https://github.com/yannickcr/eslint-plugin-react/blob/master/CHANGELOG.md)
- [Commits](jsx-eslint/eslint-plugin-react@v7.20.6...v7.23.1)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
@awibox
Merge pull request #178 from awibox/dependabot/npm_and_yarn/eslint-pl…
e98f1f7 
…ugin-react-7.23.1

Bump eslint-plugin-react from 7.20.6 to 7.23.1
@awibox
Merge pull request #173 from awibox/dependabot/npm_and_yarn/babel/pre…
640e557 
…set-react-7.12.13

Bump @babel/preset-react from 7.10.4 to 7.12.13
@awibox
Merge pull request #122 from awibox/dependabot/npm_and_yarn/react-16.…
37fe879 
…14.0

Bump react from 16.13.1 to 16.14.0
@dependabot-preview
Bump jest from 26.4.2 to 26.6.3
5af1c49 
Bumps [jest](https://github.com/facebook/jest) from 26.4.2 to 26.6.3.
- [Release notes](https://github.com/facebook/jest/releases)
- [Changelog](https://github.com/facebook/jest/blob/master/CHANGELOG.md)
- [Commits](jestjs/jest@v26.4.2...v26.6.3)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
@dependabot-preview
Bump react-dom from 16.13.1 to 16.14.0
75e548f 
Bumps [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) from 16.13.1 to 16.14.0.
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/facebook/react/blob/master/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v16.14.0/packages/react-dom)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
@awibox
Merge pull request #132 from awibox/dependabot/npm_and_yarn/jest-26.6.3
317532e 
Bump jest from 26.4.2 to 26.6.3
@awibox
Merge pull request #181 from awibox/dependabot/npm_and_yarn/react-dom…
e7f8f29 
…-16.14.0

Bump react-dom from 16.13.1 to 16.14.0
@dependabot-preview
Bump eslint from 7.22.0 to 7.23.0
0eb6359 
Bumps [eslint](https://github.com/eslint/eslint) from 7.22.0 to 7.23.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/master/CHANGELOG.md)
- [Commits](eslint/eslint@v7.22.0...v7.23.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
@dependabot-preview
Bump @babel/preset-react from 7.12.13 to 7.13.13
61d74af 
Bumps [@babel/preset-react](https://github.com/babel/babel/tree/HEAD/packages/babel-preset-react) from 7.12.13 to 7.13.13.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.13.13/packages/babel-preset-react)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
@dependabot-preview
Bump webpack-cli from 4.5.0 to 4.6.0
4a804d9 
Bumps [webpack-cli](https://github.com/webpack/webpack-cli) from 4.5.0 to 4.6.0.
- [Release notes](https://github.com/webpack/webpack-cli/releases)
- [Changelog](https://github.com/webpack/webpack-cli/blob/master/CHANGELOG.md)
- [Commits](https://github.com/webpack/webpack-cli/compare/webpack-cli@4.5.0...webpack-cli@4.6.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
@dependabot-preview
[Security] Bump y18n from 4.0.0 to 4.0.1
fc0a528 
Bumps [y18n](https://github.com/yargs/y18n) from 4.0.0 to 4.0.1. **This update includes a security fix.**
- [Release notes](https://github.com/yargs/y18n/releases)
- [Changelog](https://github.com/yargs/y18n/blob/master/CHANGELOG.md)
- [Commits](https://github.com/yargs/y18n/commits)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
@awibox
Merge pull request #186 from awibox/dependabot/npm_and_yarn/y18n-4.0.1
35e920a 
[Security] Bump y18n from 4.0.0 to 4.0.1
@awibox
Merge pull request #184 from awibox/dependabot/npm_and_yarn/webpack-c…
823eea1 
…li-4.6.0

Bump webpack-cli from 4.5.0 to 4.6.0
@awibox
Merge pull request #183 from awibox/dependabot/npm_and_yarn/babel/pre…
58faf97 
…set-react-7.13.13

Bump @babel/preset-react from 7.12.13 to 7.13.13
@dependabot-preview
Bump eslint-plugin-react from 7.23.1 to 7.23.2
4168c11 
Bumps [eslint-plugin-react](https://github.com/yannickcr/eslint-plugin-react) from 7.23.1 to 7.23.2.
- [Release notes](https://github.com/yannickcr/eslint-plugin-react/releases)
- [Changelog](https://github.com/yannickcr/eslint-plugin-react/blob/master/CHANGELOG.md)
- [Commits](jsx-eslint/eslint-plugin-react@v7.23.1...v7.23.2)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
@dependabot-preview
Bump enzyme-to-json from 3.6.1 to 3.6.2
fcd4440 
Bumps [enzyme-to-json](https://github.com/adriantoine/enzyme-to-json) from 3.6.1 to 3.6.2.
- [Release notes](https://github.com/adriantoine/enzyme-to-json/releases)
- [Changelog](https://github.com/adriantoine/enzyme-to-json/blob/master/CHANGELOG.md)
- [Commits](adriantoine/enzyme-to-json@v3.6.1...v3.6.2)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
@awibox
Merge pull request #182 from awibox/dependabot/npm_and_yarn/eslint-7.…
aaa4722 
…23.0

Bump eslint from 7.22.0 to 7.23.0
@awibox
Merge pull request #190 from awibox/dependabot/npm_and_yarn/eslint-pl…
2d2a3b6 
…ugin-react-7.23.2

Bump eslint-plugin-react from 7.23.1 to 7.23.2
@awibox
Merge pull request #192 from awibox/dependabot/npm_and_yarn/enzyme-to…
95eb54b 
…-json-3.6.2

Bump enzyme-to-json from 3.6.1 to 3.6.2
@dependabot-preview
Bump eslint from 7.23.0 to 7.24.0
9be58c1 
Bumps [eslint](https://github.com/eslint/eslint) from 7.23.0 to 7.24.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/master/CHANGELOG.md)
- [Commits](eslint/eslint@v7.23.0...v7.24.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
@awibox
Merge pull request #194 from awibox/dependabot/npm_and_yarn/eslint-7.…
648bcbc 
…24.0

Bump eslint from 7.23.0 to 7.24.0
@dependabot-preview
[Security] Bump hosted-git-info from 2.8.8 to 2.8.9
9a5fa8c 
Bumps [hosted-git-info](https://github.com/npm/hosted-git-info) from 2.8.8 to 2.8.9. **This update includes a security fix.**
- [Release notes](https://github.com/npm/hosted-git-info/releases)
- [Changelog](https://github.com/npm/hosted-git-info/blob/v2.8.9/CHANGELOG.md)
- [Commits](npm/hosted-git-info@v2.8.8...v2.8.9)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
@awibox
Merge pull request #213 from awibox/dependabot/npm_and_yarn/hosted-gi…
e2c3c61 
…t-info-2.8.9

[Security] Bump hosted-git-info from 2.8.8 to 2.8.9
@dependabot-preview
[Security] Bump ws from 5.2.2 to 5.2.3
961aab5 
Bumps [ws](https://github.com/websockets/ws) from 5.2.2 to 5.2.3. **This update includes a security fix.**
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@5.2.2...5.2.3)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
@dependabot-preview dependabot-preview bot added dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability labels Jun 9, 2021
@coveralls
Copy link

Coverage Status

Coverage remained the same at 100.0% when pulling 961aab5 on dependabot/npm_and_yarn/ws-5.2.3 into e2c3c61 on master.

@awibox awibox closed this Mar 27, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@coveralls @awibox