Update dependency ws to ~8.17.0 [SECURITY] #354
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
~8.11.0
->~8.17.0
GitHub Vulnerability Alerts
CVE-2024-37890
Impact
A request with a number of headers exceeding the
server.maxHeadersCount
threshold could be used to crash a ws server.Proof of concept
Patches
The vulnerability was fixed in ws@8.17.1 (websockets/ws@e55e510) and backported to ws@7.5.10 (websockets/ws@22c2876), ws@6.2.3 (websockets/ws@eeb76d3), and ws@5.2.4 (websockets/ws@4abd8f6)
Workarounds
In vulnerable versions of ws, the issue can be mitigated in the following ways:
--max-http-header-size=size
and/or themaxHeaderSize
options so that no more headers than theserver.maxHeadersCount
limit can be sent.server.maxHeadersCount
to0
so that no limit is applied.Credits
The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.
References
Release Notes
websockets/ws (ws)
v8.17.1
Compare Source
Bug fixes
A request with a number of headers exceeding the[
server.maxHeadersCount
][server.maxHeadersCount]threshold could be used to crash a ws server.
The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.
In vulnerable versions of ws, the issue can be mitigated in the following ways:
[
--max-http-header-size=size
][--max-http-header-size=size] and/or the [maxHeaderSize
][maxHeaderSize] options sothat no more headers than the
server.maxHeadersCount
limit can be sent.server.maxHeadersCount
to0
so that no limit is applied.v8.17.0
Compare Source
Features
WebSocket
constructor now accepts thecreateConnection
option (#2219).Other notable changes
allowSynchronousEvents
option has been changed totrue
(#2221).This is a breaking change in a patch release. The assumption is that the option
is not widely used.
v8.16.0
Compare Source
Features
autoPong
option (01ba54e
).v8.15.1
Compare Source
Notable changes
allowMultipleEventsPerMicrotask
option has been renamed toallowSynchronousEvents
(4ed7fe5
).This is a breaking change in a patch release that could have been avoided with
an alias, but the renamed option was added only 3 days ago, so hopefully it
hasn't already been widely used.
v8.15.0
Compare Source
Features
allowMultipleEventsPerMicrotask
option (93e3552
).v8.14.2
Compare Source
Bug fixes
swallowed when running tests (
7f4e1a7
).v8.14.1
Compare Source
Bug fixes
fd3c64c
).v8.14.0
Compare Source
Features
WebSocket
constructor now accepts HTTP(S) URLs (#2162).socket
argument ofserver.handleUpgrade()
can now be a genericDuplex
stream (#2165).Other notable changes
v8.13.0
Compare Source
Features
finishRequest
option to support late addition of headers (#2123).v8.12.1
Compare Source
Bug fixes
browser
condition to package.json (#2118).v8.12.0
Compare Source
Features
utf-8-validate@6
(ff63bba
).Other notable changes
buffer.isUtf8()
][buffer.isUtf8()] is now used instead ofutf-8-validate
if available(
42d79f6
).Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.