[Snyk] Upgrade ws from 7.0.0 to 7.4.6

[snyk-bot]

Snyk has created this PR to upgrade ws from 7.0.0 to 7.4.6.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 18 versions ahead of your current version.
• The recommended version was released a month ago, on 2021-05-25.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	479/1000 Why? Has a fix available, CVSS 5.3	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: ws

• 7.4.6 - 2021-05-25
  

  Bug fixes

  • Fixed a ReDoS vulnerability (00c425e).

  A specially crafted value of the Sec-Websocket-Protocol header could be used
  to significantly slow down a ws server.

  for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
  const value = 'b' + ' '.repeat(length) + 'x';
  const start = process.hrtime.bigint();

  value.trim().split(/ , /);

  const end = process.hrtime.bigint();

  console.log('length = %d, time = %f ns', length, end - start);
  }

  The vulnerability was responsibly disclosed along with a fix in private by
  Robert McLaughlin from University of California, Santa Barbara.

  In vulnerable versions of ws, the issue can be mitigated by reducing the maximum
  allowed length of the request headers using the --max-http-header-size=size
  and/or the maxHeaderSize options.

• 7.4.5 - 2021-04-18
  

  Bug fixes

  • UTF-8 validation is now done even if utf-8-validate is not installed
    (23ba6b2).
  • Fixed an edge case where websocket.close() and websocket.terminate() did
    not close the connection (67e25ff).
• 7.4.4 - 2021-03-06
  

  Bug fixes

  • Fixed a bug that could cause the process to crash when using the
    permessage-deflate extension (9277437).
• 7.4.3 - 2021-02-02
  

  Bug fixes

  • The deflate/inflate stream is now reset instead of reinitialized when context
    takeover is disabled (#1840).
• 7.4.2 - 2020-12-29
  

  Bug fixes

  • Silenced a deprecation warning (a2c0d44).
• 7.4.1 - 2020-12-04
• 7.4.0 - 2020-11-08
• 7.3.1 - 2020-07-05
• 7.3.0 - 2020-05-10
• 7.2.5 - 2020-04-25
• 7.2.3 - 2020-03-09
• 7.2.2 - 2020-03-08
• 7.2.1 - 2019-12-14
• 7.2.0 - 2019-10-19
• 7.1.2 - 2019-08-12
• 7.1.1 - 2019-07-19
• 7.1.0 - 2019-07-08
• 7.0.1 - 2019-06-17
• 7.0.0 - 2019-04-30

from ws GitHub release notes

Commit messages

Package name: ws

• f5297f7 [dist] 7.4.6
• 00c425e [security] Fix ReDoS vulnerability
• 990306d [lint] Fix prettier error
• 32e3a84 [security] Remove reference to Node Security Project
• 8c914d1 [minor] Fix nits
• fc7e27d [ci] Test on node 16
• 587c201 [ci] Do not test on node 15
• f672710 [dist] 7.4.5
• 67e25ff [fix] Fix case where `abortHandshake()` does not close the connection
• 23ba6b2 [fix] Make UTF-8 validation work even if utf-8-validate is not installed
• 114de9e [ci] Use a unique ID instead of commit SHA
• d75a62e [ci] Include commit SHA in `flag-name`
• a74dd2e [dist] 7.4.4
• 9277437 [fix] Recreate the inflate stream if it ends
• cbff929 [doc] Improve `websocket.terminate()` documentation
• 489a295 [ci] Use GitHub Actions (#1853)
• 77370e0 [pkg] Update eslint-config-prettier to version 8.1.0
• 99338f7 [doc] Fix `data` argument type (#1843)
• 223194e [dist] 7.4.3
• 4e9607b [perf] Reset compressor/decompressor instead of re-initialize (#1840)
• 2789887 [minor] Use `request.socket` instead of `request.connection`
• 2079ca5 [test] Increase code coverage
• d1a8af4 [dist] 7.4.2
• 48a2349 [pkg] Update eslint-config-prettier to version 7.1.0

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs