Skip to content

Update dependency ws to v8.20.0#8

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/ws-8.x
Open

Update dependency ws to v8.20.0#8
renovate[bot] wants to merge 1 commit intomainfrom
renovate/ws-8.x

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Dec 20, 2021
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
ws 8.3.08.20.0 age confidence

Release Notes

websockets/ws (ws)

v8.20.0

Compare Source

Features

  • Added exports for the PerMessageDeflate class and utilities for the
    Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1).

v8.19.0

Compare Source

Features

  • Added the closeTimeout option (#​2308).

Bug fixes

  • Handled a forthcoming breaking change in Node.js core (1998485).

v8.18.3

Compare Source

Bug fixes

  • Fixed a spec violation where the Sec-WebSocket-Version header was not added
    to the HTTP response if the client requested version was either invalid or
    unacceptable (#​2291).

v8.18.2

Compare Source

Bug fixes

  • Fixed an issue that, during message decompression when the maximum size was
    exceeded, led to the emission of an inaccurate error and closure of the
    connection with an improper close code (#​2285).

v8.18.1

Compare Source

Bug fixes

  • The length of the UNIX domain socket paths in the tests has been shortened to
    make them work when run via CITGM (021f7b8).

v8.18.0

Compare Source

Features

v8.17.1

Compare Source

Bug fixes

A request with a number of headers exceeding theserver.maxHeadersCount
threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});

The vulnerability was reported by Ryan LaPointe in #​2230.

In vulnerable versions of ws, the issue can be mitigated in the following ways:

  1. Reduce the maximum allowed length of the request headers using the
    --max-http-header-size=size and/or the maxHeaderSize options so
    that no more headers than the server.maxHeadersCount limit can be sent.
  2. Set server.maxHeadersCount to 0 so that no limit is applied.

v8.17.0

Compare Source

Features

  • The WebSocket constructor now accepts the createConnection option (#​2219).

Other notable changes

  • The default value of the allowSynchronousEvents option has been changed to
    true (#​2221).

This is a breaking change in a patch release. The assumption is that the option
is not widely used.

v8.16.0

Compare Source

Features

  • Added the autoPong option (01ba54e).

v8.15.1

Compare Source

Notable changes

  • The allowMultipleEventsPerMicrotask option has been renamed to
    allowSynchronousEvents (4ed7fe5).

This is a breaking change in a patch release that could have been avoided with
an alias, but the renamed option was added only 3 days ago, so hopefully it
hasn't already been widely used.

v8.15.0

Compare Source

Features

  • Added the allowMultipleEventsPerMicrotask option (93e3552).

v8.14.2

Compare Source

Bug fixes

  • Fixed an issue that allowed errors thrown by failed assertions to be
    swallowed when running tests (7f4e1a7).

v8.14.1

Compare Source

Bug fixes

  • Improved the reliability of two tests for CITGM (fd3c64c).

v8.14.0

Compare Source

Features

  • The WebSocket constructor now accepts HTTP(S) URLs (#​2162).
  • The socket argument of server.handleUpgrade() can now be a generic
    Duplex stream (#​2165).

Other notable changes

  • At most one event per microtask is now emitted (#​2160).

v8.13.0

Compare Source

Features

  • Added the finishRequest option to support late addition of headers (#​2123).

v8.12.1

Compare Source

Bug fixes

  • Added browser condition to package.json (#​2118).

v8.12.0

Compare Source

Features

  • Added support for utf-8-validate@6 (ff63bba).

Other notable changes

v8.11.0

Compare Source

Features

  • WebSocket.prototype.addEventListener() now supports an event listener
    specified as an object with a handleEvent() method. (9ab743a).

Bug fixes

  • WebSocket.prototype.addEventListener() now adds an event listener only if it
    is not already in the list of the event listeners for the specified event type
    (1cec17d).

v8.10.0

Compare Source

Features

  • Added an export for package.json (211d5d3).

v8.9.0

Compare Source

Features

  • Added the ability to connect to Windows named pipes (#​2079).

v8.8.1

Compare Source

Bug fixes

  • The Authorization and Cookie headers are no longer sent if the original
    request for the opening handshake is sent to an IPC server and the client is
    redirected to another IPC server (bc8bd34).

v8.8.0

Compare Source

Features
  • Added the WS_NO_BUFFER_UTIL and WS_NO_UTF_8_VALIDATE environment
    variables (becf237).

v8.7.0

Compare Source

Features
  • Added the ability to inspect the invalid handshake requests and respond to
    them with a custom HTTP response. (6e5a5ce).
Bug fixes
  • The handshake is now aborted if the Upgrade header field value in the HTTP
    response is not a case-insensitive match for the value "websocket" (0fdcc0a).
  • The Authorization and Cookie headers are no longer sent when following an
    insecure redirect (wss: to ws:) to the same host (d68ba9e).

v8.6.0

Compare Source

Features

  • Added the ability to remove confidential headers on a per-redirect basis (#​2030).

v8.5.0

Compare Source

Features
  • Added the ability to use a custom WebSocket class on the server (#​2007).
Bug fixes
  • When following redirects, the Authorization and Cookie headers are no
    longer sent if the redirect host is different from the original host (#​2013).

v8.4.2

Compare Source

Bug fixes

  • Fixed a data framing issue introduced in version 8.4.1 (#​2004).

v8.4.1

Compare Source

Notable changes

  • To improve performance, strings sent via websocket.ping(),
    websocket.pong(), and websocket.send() are no longer converted to
    Buffers if the data does not need to be masked (#​2000).

v8.4.0

Compare Source

Features

  • Added ability to generate custom masking keys (#​1990).

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/ws-8.x branch from 6757ec7 to f376a29 Compare January 13, 2022 20:22
@renovate renovate Bot changed the title Update dependency ws to v8.4.0 Update dependency ws to v8.4.1 Jan 13, 2022
@renovate renovate Bot changed the title Update dependency ws to v8.4.1 Update dependency ws to v8.4.2 Jan 14, 2022
@renovate renovate Bot force-pushed the renovate/ws-8.x branch from f376a29 to 1998f26 Compare January 14, 2022 16:01
@renovate renovate Bot force-pushed the renovate/ws-8.x branch from 1998f26 to 278d80b Compare February 7, 2022 21:17
@renovate renovate Bot changed the title Update dependency ws to v8.4.2 Update dependency ws to v8.5.0 Feb 7, 2022
@renovate renovate Bot changed the title Update dependency ws to v8.5.0 Update dependency ws to v8.6.0 May 16, 2022
@renovate renovate Bot force-pushed the renovate/ws-8.x branch from 278d80b to d3818a6 Compare May 16, 2022 00:25
@renovate renovate Bot force-pushed the renovate/ws-8.x branch from d3818a6 to fe870b2 Compare June 18, 2022 17:40
@renovate renovate Bot changed the title Update dependency ws to v8.6.0 Update dependency ws to v8.8.0 Jun 18, 2022
@renovate renovate Bot force-pushed the renovate/ws-8.x branch from fe870b2 to 4d7a56a Compare July 15, 2022 17:33
@renovate renovate Bot changed the title Update dependency ws to v8.8.0 Update dependency ws to v8.8.1 Jul 15, 2022
@renovate renovate Bot changed the title Update dependency ws to v8.8.1 Update dependency ws to v8.9.0 Sep 25, 2022
@renovate renovate Bot force-pushed the renovate/ws-8.x branch from a001ade to 303aeea Compare November 20, 2022 13:36
@renovate renovate Bot changed the title Update dependency ws to v8.9.0 Update dependency ws to v8.11.0 Nov 20, 2022
@renovate renovate Bot changed the title Update dependency ws to v8.11.0 Update dependency ws to v8.13.0 Mar 16, 2023
@renovate renovate Bot force-pushed the renovate/ws-8.x branch from 303aeea to 207934d Compare March 16, 2023 09:02
@renovate renovate Bot changed the title Update dependency ws to v8.13.0 Update dependency ws to v8.14.0 Sep 6, 2023
@renovate renovate Bot force-pushed the renovate/ws-8.x branch from 207934d to 232cf45 Compare September 6, 2023 14:25
@renovate renovate Bot changed the title Update dependency ws to v8.14.0 Update dependency ws to v8.14.1 Sep 8, 2023
@renovate renovate Bot force-pushed the renovate/ws-8.x branch from 232cf45 to a25b17a Compare September 8, 2023 16:40
@renovate renovate Bot changed the title Update dependency ws to v8.14.1 Update dependency ws to v8.14.2 Sep 19, 2023
@renovate renovate Bot force-pushed the renovate/ws-8.x branch from 4d87e21 to 2130328 Compare December 9, 2023 20:00
@renovate renovate Bot changed the title Update dependency ws to v8.14.2 Update dependency ws to v8.15.0 Dec 9, 2023
@renovate renovate Bot changed the title Update dependency ws to v8.15.0 Update dependency ws to v8.15.1 Dec 12, 2023
@renovate renovate Bot force-pushed the renovate/ws-8.x branch from 2130328 to d45d5ff Compare December 12, 2023 21:12
@renovate renovate Bot changed the title Update dependency ws to v8.15.1 Update dependency ws to v8.16.0 Dec 26, 2023
@renovate renovate Bot force-pushed the renovate/ws-8.x branch from d45d5ff to 30ada4f Compare December 26, 2023 19:32
@renovate renovate Bot changed the title Update dependency ws to v8.16.0 Update dependency ws to v8.17.0 Apr 28, 2024
@renovate renovate Bot force-pushed the renovate/ws-8.x branch from 30ada4f to 3d1ef4a Compare April 28, 2024 08:01
@renovate renovate Bot force-pushed the renovate/ws-8.x branch from 3d1ef4a to a4d802e Compare June 16, 2024 15:30
@renovate renovate Bot changed the title Update dependency ws to v8.17.0 Update dependency ws to v8.17.1 Jun 16, 2024
@renovate renovate Bot force-pushed the renovate/ws-8.x branch from a4d802e to 6511720 Compare July 3, 2024 19:06
@renovate renovate Bot changed the title Update dependency ws to v8.17.1 Update dependency ws to v8.18.0 Jul 3, 2024
@renovate renovate Bot force-pushed the renovate/ws-8.x branch from 6511720 to 4d9d902 Compare February 21, 2025 11:32
@renovate renovate Bot changed the title Update dependency ws to v8.18.0 Update dependency ws to v8.18.1 Feb 21, 2025
@renovate renovate Bot force-pushed the renovate/ws-8.x branch from 4d9d902 to 67c7c9f Compare May 3, 2025 09:22
@renovate renovate Bot changed the title Update dependency ws to v8.18.1 Update dependency ws to v8.18.2 May 3, 2025
@renovate renovate Bot changed the title Update dependency ws to v8.18.2 Update dependency ws to v8.18.3 Jun 28, 2025
@renovate renovate Bot force-pushed the renovate/ws-8.x branch from 67c7c9f to 1586eb2 Compare June 28, 2025 14:10
@renovate renovate Bot force-pushed the renovate/ws-8.x branch from 1586eb2 to 6e64d25 Compare January 5, 2026 21:57
@renovate renovate Bot changed the title Update dependency ws to v8.18.3 Update dependency ws to v8.19.0 Jan 5, 2026
@renovate renovate Bot force-pushed the renovate/ws-8.x branch from 6e64d25 to 1352808 Compare March 21, 2026 20:40
@renovate renovate Bot changed the title Update dependency ws to v8.19.0 Update dependency ws to v8.20.0 Mar 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants