-
Notifications
You must be signed in to change notification settings - Fork 1
Commit 6073faa
authored
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?v=4&size=40){kind=avatar}
chore(deps): update dependency ws to v8 (#105)
This PR contains the following updates:
| Package | Type | Update | Change | OpenSSF |
|---|---|---|---|---|
| [ws](https://redirect.github.com/websockets/ws) | overrides | major |
[`7.5.10` ->
`8.18.0`](https://renovatebot.com/diffs/npm/ws/7.5.10/8.18.0) |
[](https://securityscorecards.dev/viewer/?uri=github.com/websockets/ws)
|
---
### Release Notes
<details>
<summary>websockets/ws (ws)</summary>
###
[`v8.18.0`](https://redirect.github.com/websockets/ws/releases/tag/8.18.0)
[Compare
Source](https://redirect.github.com/websockets/ws/compare/8.17.1...8.18.0)
### Features
- Added support for `Blob`
([#​2229](https://redirect.github.com/websockets/ws/issues/2229)).
###
[`v8.17.1`](https://redirect.github.com/websockets/ws/releases/tag/8.17.1)
[Compare
Source](https://redirect.github.com/websockets/ws/compare/8.17.0...8.17.1)
### Bug fixes
- Fixed a DoS vulnerability
([#​2231](https://redirect.github.com/websockets/ws/issues/2231)).
A request with a number of headers exceeding
the[`server.maxHeadersCount`][server.maxHeadersCount]
threshold could be used to crash a ws server.
```js
const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j < chars.length; j++) {
const key = chars[i] + chars[j];
headers[key] = 'x';
if (++count === 2000) break;
}
}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});
```
The vulnerability was reported by [Ryan
LaPointe](https://redirect.github.com/rrlapointe) in
[https://github.com/websockets/ws/issues/2230](https://redirect.github.com/websockets/ws/issues/2230).
In vulnerable versions of ws, the issue can be mitigated in the
following ways:
1. Reduce the maximum allowed length of the request headers using the
[`--max-http-header-size=size`][--max-http-header-size=size] and/or the
[`maxHeaderSize`][maxHeaderSize] options so
that no more headers than the `server.maxHeadersCount` limit can be
sent.
2. Set `server.maxHeadersCount` to `0` so that no limit is applied.
[`--max-http-header-size=size`]:
https://nodejs.org/api/cli.html#--max-http-header-sizesize
[`maxHeaderSize`]:
https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener
[`server.maxHeadersCount`]:
https://nodejs.org/api/http.html#servermaxheaderscount
###
[`v8.17.0`](https://redirect.github.com/websockets/ws/releases/tag/8.17.0)
[Compare
Source](https://redirect.github.com/websockets/ws/compare/8.16.0...8.17.0)
### Features
- The `WebSocket` constructor now accepts the `createConnection` option
([#​2219](https://redirect.github.com/websockets/ws/issues/2219)).
### Other notable changes
- The default value of the `allowSynchronousEvents` option has been
changed to
`true`
([#​2221](https://redirect.github.com/websockets/ws/issues/2221)).
This is a breaking change in a patch release. The assumption is that the
option
is not widely used.
###
[`v8.16.0`](https://redirect.github.com/websockets/ws/releases/tag/8.16.0)
[Compare
Source](https://redirect.github.com/websockets/ws/compare/8.15.1...8.16.0)
### Features
- Added the `autoPong` option
([`01ba54e`](https://redirect.github.com/websockets/ws/commit/01ba54ed)).
###
[`v8.15.1`](https://redirect.github.com/websockets/ws/releases/tag/8.15.1)
[Compare
Source](https://redirect.github.com/websockets/ws/compare/8.15.0...8.15.1)
### Notable changes
- The `allowMultipleEventsPerMicrotask` option has been renamed to
`allowSynchronousEvents`
([`4ed7fe5`](https://redirect.github.com/websockets/ws/commit/4ed7fe58)).
This is a breaking change in a patch release that could have been
avoided with
an alias, but the renamed option was added only 3 days ago, so hopefully
it
hasn't already been widely used.
###
[`v8.15.0`](https://redirect.github.com/websockets/ws/releases/tag/8.15.0)
[Compare
Source](https://redirect.github.com/websockets/ws/compare/8.14.2...8.15.0)
### Features
- Added the `allowMultipleEventsPerMicrotask` option
([`93e3552`](https://redirect.github.com/websockets/ws/commit/93e3552e)).
###
[`v8.14.2`](https://redirect.github.com/websockets/ws/releases/tag/8.14.2)
[Compare
Source](https://redirect.github.com/websockets/ws/compare/8.14.1...8.14.2)
### Bug fixes
- Fixed an issue that allowed errors thrown by failed assertions to be
swallowed when running tests
([`7f4e1a7`](https://redirect.github.com/websockets/ws/commit/7f4e1a75)).
###
[`v8.14.1`](https://redirect.github.com/websockets/ws/releases/tag/8.14.1)
[Compare
Source](https://redirect.github.com/websockets/ws/compare/8.14.0...8.14.1)
##### Bug fixes
- Improved the reliability of two tests for [CITGM][]
([`fd3c64c`](https://redirect.github.com/websockets/ws/commit/fd3c64cb)).
[CITGM]: https://redirect.github.com/nodejs/citgm
###
[`v8.14.0`](https://redirect.github.com/websockets/ws/releases/tag/8.14.0)
[Compare
Source](https://redirect.github.com/websockets/ws/compare/8.13.0...8.14.0)
### Features
- The `WebSocket` constructor now accepts HTTP(S) URLs
([#​2162](https://redirect.github.com/websockets/ws/issues/2162)).
- The `socket` argument of `server.handleUpgrade()` can now be a generic
`Duplex` stream
([#​2165](https://redirect.github.com/websockets/ws/issues/2165)).
### Other notable changes
- At most one event per microtask is now emitted
([#​2160](https://redirect.github.com/websockets/ws/issues/2160)).
###
[`v8.13.0`](https://redirect.github.com/websockets/ws/releases/tag/8.13.0)
[Compare
Source](https://redirect.github.com/websockets/ws/compare/8.12.1...8.13.0)
### Features
- Added the `finishRequest` option to support late addition of headers
([#​2123](https://redirect.github.com/websockets/ws/issues/2123)).
###
[`v8.12.1`](https://redirect.github.com/websockets/ws/releases/tag/8.12.1)
[Compare
Source](https://redirect.github.com/websockets/ws/compare/8.12.0...8.12.1)
### Bug fixes
- Added `browser` condition to package.json
([#​2118](https://redirect.github.com/websockets/ws/issues/2118)).
###
[`v8.12.0`](https://redirect.github.com/websockets/ws/releases/tag/8.12.0)
[Compare
Source](https://redirect.github.com/websockets/ws/compare/8.11.0...8.12.0)
### Features
- Added support for `utf-8-validate@6`
([`ff63bba`](https://redirect.github.com/websockets/ws/commit/ff63bba3)).
### Other notable changes
- [`buffer.isUtf8()`][buffer.isUtf8()] is now used instead of
`utf-8-validate` if available
([`42d79f6`](https://redirect.github.com/websockets/ws/commit/42d79f60)).
[`buffer.isutf8()`]:
https://nodejs.org/api/buffer.html#bufferisutf8input
###
[`v8.11.0`](https://redirect.github.com/websockets/ws/releases/tag/8.11.0)
[Compare
Source](https://redirect.github.com/websockets/ws/compare/8.10.0...8.11.0)
### Features
- `WebSocket.prototype.addEventListener()` now supports an event
listener
specified as an object with a `handleEvent()` method.
([`9ab743a`](https://redirect.github.com/websockets/ws/commit/9ab743aa)).
### Bug fixes
- `WebSocket.prototype.addEventListener()` now adds an event listener
only if it
is not already in the list of the event listeners for the specified
event type
([`1cec17d`](https://redirect.github.com/websockets/ws/commit/1cec17da)).
###
[`v8.10.0`](https://redirect.github.com/websockets/ws/releases/tag/8.10.0)
[Compare
Source](https://redirect.github.com/websockets/ws/compare/8.9.0...8.10.0)
### Features
- Added an export for package.json
([`211d5d3`](https://redirect.github.com/websockets/ws/commit/211d5d38)).
###
[`v8.9.0`](https://redirect.github.com/websockets/ws/releases/tag/8.9.0)
[Compare
Source](https://redirect.github.com/websockets/ws/compare/8.8.1...8.9.0)
### Features
- Added the ability to connect to Windows named pipes
([#​2079](https://redirect.github.com/websockets/ws/issues/2079)).
###
[`v8.8.1`](https://redirect.github.com/websockets/ws/releases/tag/8.8.1)
[Compare
Source](https://redirect.github.com/websockets/ws/compare/8.8.0...8.8.1)
### Bug fixes
- The `Authorization` and `Cookie` headers are no longer sent if the
original
request for the opening handshake is sent to an IPC server and the
client is
redirected to another IPC server
([`bc8bd34`](https://redirect.github.com/websockets/ws/commit/bc8bd34e)).
###
[`v8.8.0`](https://redirect.github.com/websockets/ws/releases/tag/8.8.0)
[Compare
Source](https://redirect.github.com/websockets/ws/compare/8.7.0...8.8.0)
### Features
- Added the `WS_NO_BUFFER_UTIL` and `WS_NO_UTF_8_VALIDATE` environment
variables
([`becf237`](https://redirect.github.com/websockets/ws/commit/becf237c)).
###
[`v8.7.0`](https://redirect.github.com/websockets/ws/releases/tag/8.7.0)
[Compare
Source](https://redirect.github.com/websockets/ws/compare/8.6.0...8.7.0)
### Features
- Added the ability to inspect the invalid handshake requests and
respond to
them with a custom HTTP response.
([`6e5a5ce`](https://redirect.github.com/websockets/ws/commit/6e5a5ce3)).
### Bug fixes
- The handshake is now aborted if the `Upgrade` header field value in
the HTTP
response is not a case-insensitive match for the value "websocket"
([`0fdcc0a`](https://redirect.github.com/websockets/ws/commit/0fdcc0af)).
- The `Authorization` and `Cookie` headers are no longer sent when
following an
insecure redirect (wss: to ws:) to the same host
([`d68ba9e`](https://redirect.github.com/websockets/ws/commit/d68ba9e1)).
###
[`v8.6.0`](https://redirect.github.com/websockets/ws/releases/tag/8.6.0)
[Compare
Source](https://redirect.github.com/websockets/ws/compare/8.5.0...8.6.0)
### Features
- Added the ability to remove confidential headers on a per-redirect
basis
([#​2030](https://redirect.github.com/websockets/ws/issues/2030)).
###
[`v8.5.0`](https://redirect.github.com/websockets/ws/releases/tag/8.5.0)
[Compare
Source](https://redirect.github.com/websockets/ws/compare/8.4.2...8.5.0)
### Features
- Added the ability to use a custom `WebSocket` class on the server
([#​2007](https://redirect.github.com/websockets/ws/issues/2007)).
### Bug fixes
- When following redirects, the `Authorization` and `Cookie` headers are
no
longer sent if the redirect host is different from the original host
([#​2013](https://redirect.github.com/websockets/ws/issues/2013)).
###
[`v8.4.2`](https://redirect.github.com/websockets/ws/releases/tag/8.4.2)
[Compare
Source](https://redirect.github.com/websockets/ws/compare/8.4.1...8.4.2)
### Bug fixes
- Fixed a data framing issue introduced in version 8.4.1
([#​2004](https://redirect.github.com/websockets/ws/issues/2004)).
###
[`v8.4.1`](https://redirect.github.com/websockets/ws/releases/tag/8.4.1)
[Compare
Source](https://redirect.github.com/websockets/ws/compare/8.4.0...8.4.1)
### Notable changes
- To improve performance, strings sent via `websocket.ping()`,
`websocket.pong()`, and `websocket.send()` are no longer converted to
`Buffer`s if the data does not need to be masked
([#​2000](https://redirect.github.com/websockets/ws/issues/2000)).
###
[`v8.4.0`](https://redirect.github.com/websockets/ws/releases/tag/8.4.0)
[Compare
Source](https://redirect.github.com/websockets/ws/compare/8.3.0...8.4.0)
### Features
- Added ability to generate custom masking keys
([#​1990](https://redirect.github.com/websockets/ws/issues/1990)).
###
[`v8.3.0`](https://redirect.github.com/websockets/ws/releases/tag/8.3.0)
[Compare
Source](https://redirect.github.com/websockets/ws/compare/8.2.3...8.3.0)
### Features
- Added ability to pause and resume a `WebSocket`
([`0a8c7a9`](https://redirect.github.com/websockets/ws/commit/0a8c7a9c)).
### Bug fixes
- Fixed a bug that could prevent the connection from being closed
cleanly when
using the stream API
([`ed2b803`](https://redirect.github.com/websockets/ws/commit/ed2b8039)).
- When following redirects, an error is now emitted and not thrown if
the
redirect URL is invalid
([#​1980](https://redirect.github.com/websockets/ws/issues/1980)).
###
[`v8.2.3`](https://redirect.github.com/websockets/ws/releases/tag/8.2.3)
[Compare
Source](https://redirect.github.com/websockets/ws/compare/8.2.2...8.2.3)
### Bug fixes
- When context takeover is enabled, messages are now compressed even if
their size
is below the value of the `perMessageDeflate.threshold` option
([`41ae563`](https://redirect.github.com/websockets/ws/commit/41ae5631)).
###
[`v8.2.2`](https://redirect.github.com/websockets/ws/releases/tag/8.2.2)
[Compare
Source](https://redirect.github.com/websockets/ws/compare/8.2.1...8.2.2)
### Bug fixes
- Some closing operations are now run only if needed
([`ec9377c`](https://redirect.github.com/websockets/ws/commit/ec9377ca)).
###
[`v8.2.1`](https://redirect.github.com/websockets/ws/releases/tag/8.2.1)
[Compare
Source](https://redirect.github.com/websockets/ws/compare/8.2.0...8.2.1)
### Bug fixes
- Fixed an issue where the socket was not resumed, preventing the
connection
from being closed cleanly
([`869c989`](https://redirect.github.com/websockets/ws/commit/869c9892)).
###
[`v8.2.0`](https://redirect.github.com/websockets/ws/releases/tag/8.2.0)
[Compare
Source](https://redirect.github.com/websockets/ws/compare/8.1.0...8.2.0)
### Features
- Added `WebSocket.WebSocket` as an alias for `WebSocket` and
`WebSocket.WebSocketServer` as an alias for `WebSocket.Server` to fix
name
consistency and improve interoperability with the ES module wrapper
([#​1935](https://redirect.github.com/websockets/ws/issues/1935)).
###
[`v8.1.0`](https://redirect.github.com/websockets/ws/releases/tag/8.1.0)
[Compare
Source](https://redirect.github.com/websockets/ws/compare/8.0.0...8.1.0)
### Features
- Added ability to skip UTF-8 validation
([#​1928](https://redirect.github.com/websockets/ws/issues/1928)).
### Bug fixes
- Fixed an issue with a breaking change in Node.js master
([`6a72da3`](https://redirect.github.com/websockets/ws/commit/6a72da3e)).
- Fixed a misleading error message
([`c95e695`](https://redirect.github.com/websockets/ws/commit/c95e695d)).
###
[`v8.0.0`](https://redirect.github.com/websockets/ws/releases/tag/8.0.0)
[Compare
Source](https://redirect.github.com/websockets/ws/compare/7.5.10...8.0.0)
### Breaking changes
- The `WebSocket` constructor now throws a `SyntaxError` if any of the
subprotocol names are invalid or duplicated
([`0aecf0c`](https://redirect.github.com/websockets/ws/commit/0aecf0c9)).
- The server now aborts the opening handshake if an invalid
`Sec-WebSocket-Protocol` header field value is received
([`1877dde`](https://redirect.github.com/websockets/ws/commit/1877ddeb)).
- The `protocols` argument of `handleProtocols` hook is no longer an
`Array` but
a `Set`
([`1877dde`](https://redirect.github.com/websockets/ws/commit/1877ddeb)).
- The opening handshake is now aborted if the `Sec-WebSocket-Extensions`
header
field value is empty or it begins or ends with a white space
([`e814110`](https://redirect.github.com/websockets/ws/commit/e814110e)).
- Dropped support for Node.js < 10.0.0
([`552b506`](https://redirect.github.com/websockets/ws/commit/552b5067)).
- The `WebSocket` constructor now throws a `SyntaxError` if the
connection URL
contains a fragment identifier or if the URL's protocol is not one of
`'ws:'`,
`'wss:'`, or `'ws+unix:'`
([`ebea038`](https://redirect.github.com/websockets/ws/commit/ebea038f)).
- Text messages and close reasons are no longer decoded to strings. They
are
passed as `Buffer`s to the listeners of their respective events. The
listeners
of the `'message'` event now take a boolean argument specifying whether
or not
the message is binary
([`e173423`](https://redirect.github.com/websockets/ws/commit/e173423c)).
Existing code can be migrated by decoding the buffer explicitly.
```js
websocket.on('message', function message(data, isBinary) {
const message = isBinary ? data : data.toString();
// Continue as before.
});
websocket.on('close', function close(code, data) {
const reason = data.toString();
// Continue as before.
});
```
- The package now uses an ES module wrapper
([`78adf5f`](https://redirect.github.com/websockets/ws/commit/78adf5f7)).
- `WebSocketServer.prototype.close()` no longer closes existing
connections
([`df7de57`](https://redirect.github.com/websockets/ws/commit/df7de574)).
Existing code can be migrated by closing the connections manually.
```js
websocketServer.close();
for (const ws of websocketServer.clients) {
ws.terminate();
}
```
- The callback of `WebSocketServer.prototype.close()` is now called with
an
error if the server is already closed
([`abde9cf`](https://redirect.github.com/websockets/ws/commit/abde9cfc)).
- `WebSocket.prototype.addEventListener()` is now a noop if the `type`
argument
is not one of `'close'`, `'error'`, `'message'`, or `'open'`
([`9558ed1`](https://redirect.github.com/websockets/ws/commit/9558ed1c)).
- `WebSocket.prototype.removeEventListener()` now only removes listeners
added
with `WebSocket.prototype.addEventListener()` and only one at time
([`ea95d9c`](https://redirect.github.com/websockets/ws/commit/ea95d9c4)).
- The value of the `onclose`, `onerror`, `onmessage`, and `onopen`
properties is
now `null` if the respective event handler is not set
([`6756cf5`](https://redirect.github.com/websockets/ws/commit/6756cf58)).
- The `OpenEvent` class has been removed
([`21e6500`](https://redirect.github.com/websockets/ws/commit/21e65004)).
### Bug fixes
- The event listeners added via handler properties are now independent
from the
event listeners added with `WebSocket.prototype.addEventListener()`
([`0b21c03`](https://redirect.github.com/websockets/ws/commit/0b21c03a)).
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/settlemint/solidity-empty).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xMDcuMCIsInVwZGF0ZWRJblZlciI6IjM5LjEwNy4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>1 parent 8203422 commit 6073faaCopy full SHA for 6073faa
File tree
Expand file treeCollapse file tree
2 files changed
+3
-3
lines changedFilter options
Expand file treeCollapse file tree
2 files changed
+3
-3
lines changedCollapse file: bun.lock
+2-2Lines changed: 2 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
21 | 21 | | |
22 | 22 | | |
23 | 23 | | |
24 | | - | |
| 24 | + | |
25 | 25 | | |
26 | 26 | | |
27 | 27 | | |
| |||
1444 | 1444 | | |
1445 | 1445 | | |
1446 | 1446 | | |
1447 | | - | |
| 1447 | + | |
1448 | 1448 | | |
1449 | 1449 | | |
1450 | 1450 | | |
| |||
Collapse file: package.json
+1-1Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
48 | 48 | | |
49 | 49 | | |
50 | 50 | | |
51 | | - | |
| 51 | + | |
52 | 52 | | |
53 | 53 | | |
54 | 54 | | |
| |||
0 commit comments