Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: bump ws from 7.4.5 to 7.4.6 #2448

Merged
merged 1 commit into from Aug 6, 2021
Merged

chore: bump ws from 7.4.5 to 7.4.6 #2448

merged 1 commit into from Aug 6, 2021

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github May 30, 2021
edited

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

Bumps ws from 7.4.5 to 7.4.6.

Release notes

Sourced from ws's releases.

7.4.6

Bug fixes

  • Fixed a ReDoS vulnerability (00c425ec).

A specially crafted value of the Sec-Websocket-Protocol header could be used to significantly slow down a ws server.

for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
  const value = 'b' + ' '.repeat(length) + 'x';
  const start = process.hrtime.bigint();
value.trim().split(/ *, */);
const end = process.hrtime.bigint();
console.log('length = %d, time = %f ns', length, end - start);
}

The vulnerability was responsibly disclosed along with a fix in private by Robert McLaughlin from University of California, Santa Barbara.

In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot dependabot bot added the dependencies This issue is a problem in a dependency. label May 30, 2021
@codecov-commenter
Copy link

codecov-commenter commented May 30, 2021
edited

Codecov Report

❗ No coverage uploaded for pull request base (main@d9acbf3). Click here to learn what that means.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##             main    #2448   +/-   ##
=======================================
  Coverage        ?   60.61%           
=======================================
  Files           ?      516           
  Lines           ?    27749           
  Branches        ?     6817           
=======================================
  Hits            ?    16820           
  Misses          ?    10929           
  Partials        ?        0

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d9acbf3...72ef312. Read the comment docs.

@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch 2 times, most recently from 707d235 to af6b4b9 Compare June 5, 2021 00:14
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch from af6b4b9 to a480951 Compare June 12, 2021 16:14
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch from a480951 to 65d3772 Compare June 24, 2021 22:47
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch from 65d3772 to 99bfaec Compare July 2, 2021 23:36
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch 3 times, most recently from 3295958 to 9f3d6c7 Compare July 16, 2021 23:51
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch 3 times, most recently from c581dc1 to 6c56e3c Compare July 26, 2021 16:47
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch 3 times, most recently from 0a0f44c to f7e5491 Compare July 30, 2021 00:55
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch 3 times, most recently from 8a5a68a to 573d368 Compare August 5, 2021 19:10
@dependabot
chore: bump ws from 7.4.5 to 7.4.6
72ef312 
Bumps [ws](https://github.com/websockets/ws) from 7.4.5 to 7.4.6.
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@7.4.5...7.4.6)

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch from 573d368 to 72ef312 Compare August 6, 2021 00:40
@aws-sdk-js-automation
Copy link

AWS CodeBuild CI Report

  • CodeBuild project: sdk-staging-test
  • Commit ID: 72ef312
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@trivikr trivikr merged commit f0688fe into main Aug 6, 2021
@trivikr trivikr deleted the dependabot/npm_and_yarn/ws-7.4.6 branch August 6, 2021 18:43
@github-actions
Copy link

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 21, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@trivikr trivikr trivikr approved these changes

Assignees
No one assigned
Labels
dependencies This issue is a problem in a dependency.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@codecov-commenter @aws-sdk-js-automation @trivikr