[Snyk] Upgrade: folder-hash, simplex-noise, websocket, ws

[rater193]

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

folder-hash
from 4.0.1 to 4.0.4 | 3 versions ahead of your current version | 2 years ago
on 2023-01-11
simplex-noise
from 3.0.0 to 3.0.1 | 1 version ahead of your current version | 3 years ago
on 2022-01-04
websocket
from 1.0.34 to 1.0.35 | 1 version ahead of your current version | 4 months ago
on 2024-05-12
ws
from 8.2.3 to 8.18.0 | 24 versions ahead of your current version | 2 months ago
on 2024-07-03

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ES5EXT-6095076	696	Proof of Concept
	Denial of Service (DoS) SNYK-JS-WS-7266574	696	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	696	No Known Exploit

Release notes

Package name: folder-hash

• 4.0.4 - 2023-01-11
  
  • Fix #176 by removing graceful-fs from cli.js

  Full Changelog: v4.0.3...v4.0.4

• 4.0.3 - 2023-01-10
  

  What's Changed

  • Fix #146 and remove graceful-fs because it is no longer needed
  • Bump dependencies

  Full Changelog: v4.0.2...v4.0.3

• 4.0.2 - 2022-02-15
  

  What's Changed

  • Update dependencies
  • Minor changes to README

  Full Changelog: v4.0.1...v4.0.2

• 4.0.1 - 2021-03-13
  

  Fix sorting of files #90

  Full Changelog: v4.0.0...v4.0.1

from folder-hash GitHub release notes

Package name: simplex-noise

• 3.0.1 - 2022-01-04
  

  What's Changed

  • Updated examples to es6 by @ amilajack in #26
  • Fix source map warnings by @ jwagner in #44

  New Contributors

  • @ amilajack made their first contribution in #26

  Full Changelog: 3.0.0...3.0.1

• 3.0.0 - 2021-08-23
  
  • Changed module structure. When using bundlers that import the es module even using require() the import might need to be updated.
  • Dependency update
  • Setting sideEffects: false in package.json
  • Added snapshot tests
  • Code converted to typescript, the package can of course still be used from regular JS
  • Dropped bower
  • Added support for es modules

from simplex-noise GitHub release notes

Package name: websocket

• 1.0.35 - 2024-05-12
  

  Bumping version and updating Readme.

• 1.0.34 - 2021-04-14
  

  Bumping version and updating Readme.

from websocket GitHub release notes

Package name: ws

• 8.18.0 - 2024-07-03
  

  Features

  • Added support for Blob (#2229).
• 8.17.1 - 2024-06-16
  

  Bug fixes

  • Fixed a DoS vulnerability (#2231).

  A request with a number of headers exceeding theserver.maxHeadersCount
  threshold could be used to crash a ws server.

  const http = require('http');
  const WebSocket = require('ws');

  const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
  if (count === 2000) break;

  <span class="pl-k">for</span> <span class="pl-kos">(</span><span class="pl-k">let</span> <span class="pl-s1">j</span> <span class="pl-c1">=</span> <span class="pl-c1">0</span><span class="pl-kos">;</span> <span class="pl-s1">j</span> <span class="pl-c1">&lt;</span> <span class="pl-s1">chars</span><span class="pl-kos">.</span><span class="pl-c1">length</span><span class="pl-kos">;</span> <span class="pl-s1">j</span><span class="pl-c1">++</span><span class="pl-kos">)</span> <span class="pl-kos">{</span>
    <span class="pl-k">const</span> <span class="pl-s1">key</span> <span class="pl-c1">=</span> <span class="pl-s1">chars</span><span class="pl-kos">[</span><span class="pl-s1">i</span><span class="pl-kos">]</span> <span class="pl-c1">+</span> <span class="pl-s1">chars</span><span class="pl-kos">[</span><span class="pl-s1">j</span><span class="pl-kos">]</span><span class="pl-kos">;</span>
    <span class="pl-s1">headers</span><span class="pl-kos">[</span><span class="pl-s1">key</span><span class="pl-kos">]</span> <span class="pl-c1">=</span> <span class="pl-s">'x'</span><span class="pl-kos">;</span>
  
    <span class="pl-k">if</span> <span class="pl-kos">(</span><span class="pl-c1">++</span><span class="pl-s1">count</span> <span class="pl-c1">===</span> <span class="pl-c1">2000</span><span class="pl-kos">)</span> <span class="pl-k">break</span><span class="pl-kos">;</span>
  <span class="pl-kos">}</span>
  

  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
  headers: headers,
  host: '127.0.0.1',
  port: wss.address().port
  });

  request.end();
  });

  The vulnerability was reported by Ryan LaPointe in #2230.

  In vulnerable versions of ws, the issue can be mitigated in the following ways:

  1. Reduce the maximum allowed length of the request headers using the
     --max-http-header-size=size and/or the maxHeaderSize options so
     that no more headers than the server.maxHeadersCount limit can be sent.
  2. Set server.maxHeadersCount to 0 so that no limit is applied.
• 8.17.0 - 2024-04-28
  

  Features

  • The WebSocket constructor now accepts the createConnection option (#2219).

  Other notable changes

  • The default value of the allowSynchronousEvents option has been changed to
    true (#2221).

  This is a breaking change in a patch release. The assumption is that the option
  is not widely used.

• 8.16.0 - 2023-12-26
  

  Features

  • Added the autoPong option (01ba54e).
• 8.15.1 - 2023-12-12
  

  Notable changes

  • The allowMultipleEventsPerMicrotask option has been renamed to
    allowSynchronousEvents (4ed7fe5).

  This is a breaking change in a patch release that could have been avoided with
  an alias, but the renamed option was added only 3 days ago, so hopefully it
  hasn't already been widely used.

• 8.15.0 - 2023-12-09
  

  Features

  • Added the allowMultipleEventsPerMicrotask option (93e3552).
• 8.14.2 - 2023-09-19
  

  Bug fixes

  • Fixed an issue that allowed errors thrown by failed assertions to be
    swallowed when running tests (7f4e1a7).
• 8.14.1 - 2023-09-08
• 8.14.0 - 2023-09-06
• 8.13.0 - 2023-03-10
• 8.12.1 - 2023-02-13
• 8.12.0 - 2023-01-07
• 8.11.0 - 2022-11-06
• 8.10.0 - 2022-10-24
• 8.9.0 - 2022-09-22
• 8.8.1 - 2022-07-15
• 8.8.0 - 2022-06-09
• 8.7.0 - 2022-05-26
• 8.6.0 - 2022-05-01
• 8.5.0 - 2022-02-07
• 8.4.2 - 2022-01-14
• 8.4.1 - 2022-01-13
• 8.4.0 - 2021-12-20
• 8.3.0 - 2021-11-23
• 8.2.3 - 2021-10-02

from ws GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs