-
Notifications
You must be signed in to change notification settings - Fork 345
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency ws to v8 [security] #7595
Open
live-github-bot
wants to merge
1
commit into
develop
Choose a base branch
from
renovate/npm-ws-vulnerability
base: develop
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+52
−43
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The latest updates on your projects. Learn more about Vercel for Git ↗︎ 5 Skipped Deployments
|
Removed dependencies detected. Learn more about Socket for GitHub ↗︎ 🚮 Removed packages: npm/[email protected] |
live-github-bot
bot
force-pushed
the
renovate/npm-ws-vulnerability
branch
from
August 14, 2024 22:06
87f790d
to
a2e74a9
Compare
live-github-bot
bot
force-pushed
the
renovate/npm-ws-vulnerability
branch
from
August 14, 2024 22:14
a2e74a9
to
b37c1c5
Compare
live-github-bot
bot
force-pushed
the
renovate/npm-ws-vulnerability
branch
from
August 14, 2024 22:25
b37c1c5
to
3bc15be
Compare
live-github-bot
bot
force-pushed
the
renovate/npm-ws-vulnerability
branch
from
August 14, 2024 22:34
3bc15be
to
2819415
Compare
live-github-bot
bot
force-pushed
the
renovate/npm-ws-vulnerability
branch
from
August 14, 2024 22:42
2819415
to
412337d
Compare
live-github-bot
bot
force-pushed
the
renovate/npm-ws-vulnerability
branch
from
August 14, 2024 22:48
412337d
to
63cba8c
Compare
live-github-bot
bot
force-pushed
the
renovate/npm-ws-vulnerability
branch
from
August 14, 2024 22:55
63cba8c
to
944b294
Compare
live-github-bot
bot
force-pushed
the
renovate/npm-ws-vulnerability
branch
from
August 14, 2024 23:01
944b294
to
689a0ce
Compare
live-github-bot
bot
force-pushed
the
renovate/npm-ws-vulnerability
branch
from
August 15, 2024 22:05
689a0ce
to
da11ebc
Compare
live-github-bot
bot
force-pushed
the
renovate/npm-ws-vulnerability
branch
from
August 15, 2024 22:14
da11ebc
to
4f03efb
Compare
live-github-bot
bot
force-pushed
the
renovate/npm-ws-vulnerability
branch
from
August 15, 2024 22:25
4f03efb
to
dfc427a
Compare
live-github-bot
bot
force-pushed
the
renovate/npm-ws-vulnerability
branch
from
December 12, 2024 22:54
be8c5e0
to
1b8e488
Compare
live-github-bot
bot
force-pushed
the
renovate/npm-ws-vulnerability
branch
from
December 12, 2024 23:01
1b8e488
to
ff47f2c
Compare
live-github-bot
bot
force-pushed
the
renovate/npm-ws-vulnerability
branch
from
December 12, 2024 23:10
ff47f2c
to
43b737f
Compare
live-github-bot
bot
force-pushed
the
renovate/npm-ws-vulnerability
branch
from
December 13, 2024 22:06
43b737f
to
a33e3a9
Compare
live-github-bot
bot
force-pushed
the
renovate/npm-ws-vulnerability
branch
from
December 13, 2024 22:15
a33e3a9
to
f076750
Compare
live-github-bot
bot
force-pushed
the
renovate/npm-ws-vulnerability
branch
from
December 13, 2024 22:28
f076750
to
6cc7038
Compare
live-github-bot
bot
force-pushed
the
renovate/npm-ws-vulnerability
branch
from
December 13, 2024 22:38
6cc7038
to
912bd0b
Compare
live-github-bot
bot
force-pushed
the
renovate/npm-ws-vulnerability
branch
from
December 13, 2024 22:47
912bd0b
to
dbdf2b7
Compare
live-github-bot
bot
force-pushed
the
renovate/npm-ws-vulnerability
branch
from
December 13, 2024 22:53
dbdf2b7
to
6c33580
Compare
live-github-bot
bot
force-pushed
the
renovate/npm-ws-vulnerability
branch
from
December 13, 2024 23:00
6c33580
to
d7190c1
Compare
live-github-bot
bot
force-pushed
the
renovate/npm-ws-vulnerability
branch
from
December 13, 2024 23:08
d7190c1
to
c0c3db7
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
7
->8
8.17.1
->8.18.0
GitHub Vulnerability Alerts
CVE-2024-37890
Impact
A request with a number of headers exceeding the
server.maxHeadersCount
threshold could be used to crash a ws server.Proof of concept
Patches
The vulnerability was fixed in [email protected] (websockets/ws@e55e510) and backported to [email protected] (websockets/ws@22c2876), [email protected] (websockets/ws@eeb76d3), and [email protected] (websockets/ws@4abd8f6)
Workarounds
In vulnerable versions of ws, the issue can be mitigated in the following ways:
--max-http-header-size=size
and/or themaxHeaderSize
options so that no more headers than theserver.maxHeadersCount
limit can be sent.server.maxHeadersCount
to0
so that no limit is applied.Credits
The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.
References
Release Notes
websockets/ws (ws)
v8.0.0
Compare Source
Breaking changes
The
WebSocket
constructor now throws aSyntaxError
if any of thesubprotocol names are invalid or duplicated (
0aecf0c
).The server now aborts the opening handshake if an invalid
Sec-WebSocket-Protocol
header field value is received (1877dde
).The
protocols
argument ofhandleProtocols
hook is no longer anArray
buta
Set
(1877dde
).The opening handshake is now aborted if the
Sec-WebSocket-Extensions
headerfield value is empty or it begins or ends with a white space (
e814110
).Dropped support for Node.js < 10.0.0 (
552b506
).The
WebSocket
constructor now throws aSyntaxError
if the connection URLcontains a fragment identifier or if the URL's protocol is not one of
'ws:'
,'wss:'
, or'ws+unix:'
(ebea038
).Text messages and close reasons are no longer decoded to strings. They are
passed as
Buffer
s to the listeners of their respective events. The listenersof the
'message'
event now take a boolean argument specifying whether or notthe message is binary (
e173423
).Existing code can be migrated by decoding the buffer explicitly.
The package now uses an ES module wrapper (
78adf5f
).WebSocketServer.prototype.close()
no longer closes existing connections(
df7de57
).Existing code can be migrated by closing the connections manually.
The callback of
WebSocketServer.prototype.close()
is now called with anerror if the server is already closed (
abde9cf
).WebSocket.prototype.addEventListener()
is now a noop if thetype
argumentis not one of
'close'
,'error'
,'message'
, or'open'
(9558ed1
).WebSocket.prototype.removeEventListener()
now only removes listeners addedwith
WebSocket.prototype.addEventListener()
and only one at time (ea95d9c
).The value of the
onclose
,onerror
,onmessage
, andonopen
properties isnow
null
if the respective event handler is not set (6756cf5
).The
OpenEvent
class has been removed (21e6500
).Bug fixes
event listeners added with
WebSocket.prototype.addEventListener()
(
0b21c03
).Configuration
📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Renovate Bot.