-
-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Snyk] Upgrade ws from 7.4.6 to 7.5.3 #7457
[Snyk] Upgrade ws from 7.4.6 to 7.5.3 #7457
Conversation
Snyk has created this PR to upgrade ws from 7.4.6 to 7.5.0. See this package in npm: https://www.npmjs.com/package/ws See this project in Snyk: https://app.snyk.io/org/acinader/project/8c1a9edb-c8f5-4dc1-b221-4d6030a323eb?utm_source=github&utm_medium=upgrade-pr
Currently fails with:
|
Codecov Report
@@ Coverage Diff @@
## master #7457 +/- ##
==========================================
- Coverage 93.93% 93.91% -0.02%
==========================================
Files 181 181
Lines 13251 13252 +1
==========================================
- Hits 12447 12446 -1
- Misses 804 806 +2
Continue to review full report at Codecov.
|
Both errors were due to a circular object, for which Upgraded to 7.5.3 instead of Snyk's suggested 7.5.0 because these follow-up versions fixed some bugs. |
* master: (55 commits) Accept context via header X-Parse-Cloud-Context (parse-community#7437) [Snyk] Upgrade ws from 7.4.6 to 7.5.3 (parse-community#7457) fix: upgrade @apollographql/graphql-playground-html from 1.6.28 to 1.6.29 (parse-community#7473) fix: upgrade @apollographql/graphql-playground-html from 1.6.27 to 1.6.28 (parse-community#7411) fix: upgrade graphql from 15.5.0 to 15.5.1 (parse-community#7462) [Snyk] Security upgrade parse from 3.2.0 to 3.3.0 (parse-community#7464) fix: upgrade apollo-server-express from 2.25.1 to 2.25.2 (parse-community#7465) fix: upgrade graphql-tag from 2.12.4 to 2.12.5 (parse-community#7466) fix: upgrade graphql-relay from 0.7.0 to 0.8.0 (parse-community#7467) Add MongoDB 5.0 support + bump CI env (parse-community#7469) changed twitter API endpoint for oauth test (parse-community#7472) add runtime deprecation warning (parse-community#7451) bumped node (parse-community#7452) fix: upgrade apollo-server-express from 2.25.0 to 2.25.1 (parse-community#7449) fix: upgrade subscriptions-transport-ws from 0.9.19 to 0.10.0 (parse-community#7450) fix: upgrade mongodb from 3.6.8 to 3.6.9 (parse-community#7445) fix: upgrade mongodb from 3.6.7 to 3.6.8 (parse-community#7430) fix: upgrade apollo-server-express from 2.24.1 to 2.25.0 (parse-community#7435) fix: upgrade ldapjs from 2.2.4 to 2.3.0 (parse-community#7436) fix: upgrade graphql-relay from 0.6.0 to 0.7.0 (parse-community#7443) ...
* bump parse 3.3.0 * Update CHANGELOG.md * update user test (PR #7464) * fix Twitter API oauth Error (PR #7370) * bumped dependencies * Revert "bumped dependencies" This reverts commit 97ad83d. * bump @parse/push-adapter 3.4.1 * bump jwks-rsa@1.12.3 * bump mongodb@3.6.11 * bump ws@7.5.3 * changed logging for circular obj (PR #7457) * Update CHANGELOG.md
🎉 This change has been released in version 5.0.0-beta.1 |
🎉 This change has been released in version 5.0.0 |
Squashed commits: [1306da7] Merge pull request from GHSA-23r4-5mxp-c7g5 [3a5c38d] revert to version 4.5.0 for testing [a3483d8] fix changelog skip 4.5.1 [3c42584] 4.5.2 [97b1dca] revert to version 4.5.0 for testing [f3133ac] Release 4.10.1 (parse-community#7508) * bump parse 3.3.0 * Update CHANGELOG.md * update user test (PR parse-community#7464) * fix Twitter API oauth Error (PR parse-community#7370) * bumped dependencies * Revert "bumped dependencies" This reverts commit 97ad83d. * bump @parse/push-adapter 3.4.1 * bump jwks-rsa@1.12.3 * bump mongodb@3.6.11 * bump ws@7.5.3 * changed logging for circular obj (PR parse-community#7457) * Update CHANGELOG.md [7e1da90] added changelog [0e3cae5] audit fix [f0d5232] bumped version [4ac4b7f] Merge pull request from GHSA-7pr3-p5fm-8r9x * fix: LQ deletes session token * add 4.10.4 * add changes [ef2ec21] ci: update docker image building (parse-community#7553) * docker * Update docker-publish.yml * Update docker-publish.yml [6ae5835] Merge pull request from GHSA-xqp8-w826-hh6x * Backport the advisory fix * Added a 4.10.3 section to CHANGELOG [0bfa6b7] Release 4.10.2 (parse-community#7513) * move graphql-tag from devDependencies to dependencies (parse-community#7183) * bump version * Update CHANGELOG.md [0be0b87] bump version
Squashed commits: [1306da7] Merge pull request from GHSA-23r4-5mxp-c7g5 [3a5c38d] revert to version 4.5.0 for testing [a3483d8] fix changelog skip 4.5.1 [3c42584] 4.5.2 [97b1dca] revert to version 4.5.0 for testing [f3133ac] Release 4.10.1 (parse-community#7508) * bump parse 3.3.0 * Update CHANGELOG.md * update user test (PR parse-community#7464) * fix Twitter API oauth Error (PR parse-community#7370) * bumped dependencies * Revert "bumped dependencies" This reverts commit 97ad83d. * bump @parse/push-adapter 3.4.1 * bump jwks-rsa@1.12.3 * bump mongodb@3.6.11 * bump ws@7.5.3 * changed logging for circular obj (PR parse-community#7457) * Update CHANGELOG.md [7e1da90] added changelog [0e3cae5] audit fix [f0d5232] bumped version [4ac4b7f] Merge pull request from GHSA-7pr3-p5fm-8r9x * fix: LQ deletes session token * add 4.10.4 * add changes [ef2ec21] ci: update docker image building (parse-community#7553) * docker * Update docker-publish.yml * Update docker-publish.yml [6ae5835] Merge pull request from GHSA-xqp8-w826-hh6x * Backport the advisory fix * Added a 4.10.3 section to CHANGELOG [0bfa6b7] Release 4.10.2 (parse-community#7513) * move graphql-tag from devDependencies to dependencies (parse-community#7183) * bump version * Update CHANGELOG.md [0be0b87] bump version
Snyk has created this PR to upgrade ws from 7.4.6 to 7.5.0.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
Release notes
Package name: ws
Features
code
property describing the specific type of errorthat has occurred (#1901).
Bug fixes
framing error) occurs (8806aa9).
connection is closed due to an error (8806aa9).
Bug fixes
A specially crafted value of the
Sec-Websocket-Protocol
header could be usedto significantly slow down a ws server.
const value = 'b' + ' '.repeat(length) + 'x';
const start = process.hrtime.bigint();
value.trim().split(/ , /);
const end = process.hrtime.bigint();
console.log('length = %d, time = %f ns', length, end - start);
}
The vulnerability was responsibly disclosed along with a fix in private by
Robert McLaughlin from University of California, Santa Barbara.
In vulnerable versions of ws, the issue can be mitigated by reducing the maximum
allowed length of the request headers using the
--max-http-header-size=size
and/or the
maxHeaderSize
options.Commit messages
Package name: ws
Compare
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information:
🧐 View latest project report
🛠 Adjust upgrade PR settings
🔕 Ignore this dependency or unsubscribe from future upgrade PRs