Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump ws from 8.14.2 to 8.17.1 #375

Closed
wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jun 17, 2024

Bumps ws from 8.14.2 to 8.17.1.

Release notes

Sourced from ws's releases.

8.17.1

Bug fixes

  • Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';
if (++count === 2000) break;
}

}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

In vulnerable versions of ws, the issue can be mitigated in the following ways:

  1. Reduce the maximum allowed length of the request headers using the [--max-http-header-size=size][] and/or the [maxHeaderSize][] options so that no more headers than the server.maxHeadersCount limit can be sent.

... (truncated)

Commits
  • 3c56601 [dist] 8.17.1
  • e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
  • 6a00029 [test] Increase code coverage
  • ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
  • b73b118 [dist] 8.17.0
  • 29694a5 [test] Use the highWaterMark variable
  • 934c9d6 [ci] Test on node 22
  • 1817bac [ci] Do not test on node 21
  • 96c9b3d [major] Flip the default value of allowSynchronousEvents (#2221)
  • e5f32c7 [fix] Emit at most one event per event loop iteration (#2218)
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

Bumps [ws](https://github.com/websockets/ws) from 8.14.2 to 8.17.1.
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.14.2...8.17.1)

---
updated-dependencies:
- dependency-name: ws
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot requested a review from remusao as a code owner June 17, 2024 20:02
@dependabot dependabot bot added the PR: Dependencies 🔩 Changes only update dependencies label Jun 17, 2024
Copy link

[puLL-Merge] - websockets/ws@8.14.2..8.17.1

Description

This pull request introduces several updates to the websockets/ws repository, focusing mainly on the following areas:

  1. Migration from .eslintrc.yaml to eslint.config.js.
  2. Continuous integration (CI) workflow improvements.
  3. Code refactoring and the addition of new options for WebSocket and WebSocketServer.
  4. Enhancements to the README.md documentation.
  5. Updates to the test cases for broader test coverage and alignment with new changes.
  6. Version bump for the package.

Possible Issues

  1. Deprecation Warnings: The new parameter allowSynchronousEvents may cause unexpected behavior if existing applications rely on synchronous events.
  2. Backward Compatibility: The changes in how errors are handled in receiver.js could introduce issues in applications that expect different error handling or messaging patterns.

Security Hotspots

None identified. The changes focus primarily on configuration management, refactoring, and enhanced option handling without introducing new external inputs or processing mechanisms that could introduce security vulnerabilities.

Changes

Changes

.github/workflows/ci.yml
  • Added support for Node.js version 22.
  • Updated actions/setup-node from version v3 to v4.
README.md
  • Provided clarification and additional sections to documentation.
  • Introduced a new "Legacy opt-in for performance" section.
  • Corrected grammatical mistakes across the documentation.
SECURITY.md
  • Minor grammar corrections for better readability.
doc/ws.md
  • Introduced new options: autoPong and allowSynchronousEvents.
  • Enhanced documentation for clarity.
eslint.config.js
  • Added new ESLint configuration file replacing the deprecated .eslintrc.yaml.
  • Set up modern JavaScript linting standards with Prettier integration.
FUNDING.json
  • Added Ethereum funding details for Drips.
lib/receiver.js
  • Substantial refactoring for error handling and state management.
  • Added support for new allowSynchronousEvents and autoPong options.
  • Replaced complex microtask queuing logic with simplified state management.
lib/sender.js
  • Introduced pooling for random data generation to optimize performance.
lib/websocket-server.js, lib/websocket.js
  • Added new options allowSynchronousEvents and autoPong.
  • Enhanced error handling for missing or invalid headers.
package.json
  • Updated the package version from 8.14.2 to 8.17.1.
  • Updated dependencies and development dependencies.
  • Simplified linting script in scripts.
Tests
  • Modified and added new test cases in:
    • test/create-websocket-stream.test.js
    • test/receiver.test.js
    • test/websocket-server.test.js
    • test/websocket.test.js
  • Improved coverage for new features and added necessary assertions to validate new behavior.

Overall, these changes improve the quality, consistency, and reliability of the library while also enhancing documentation and support for the latest Node.js versions.

@mihaiplesa
Copy link
Contributor

@dependabot rebase

Copy link
Contributor Author

dependabot bot commented on behalf of github Oct 31, 2024

Superseded by #385.

@dependabot dependabot bot closed this Oct 31, 2024
@dependabot dependabot bot deleted the dependabot/npm_and_yarn/ws-8.17.1 branch October 31, 2024 16:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
PR: Dependencies 🔩 Changes only update dependencies puLL-Merge
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant