Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(deps): Bump ws from 7.4.5 to 7.5.0 (#148)
Bumps [ws](https://github.com/websockets/ws) from 7.4.5 to 7.5.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/websockets/ws/releases">ws's releases</a>.</em></p> <blockquote> <h2>7.5.0</h2> <h1>Features</h1> <ul> <li>Some errors now have a <code>code</code> property describing the specific type of error that has occurred (<a href="https://github-redirect.dependabot.com/websockets/ws/issues/1901">#1901</a>).</li> </ul> <h1>Bug fixes</h1> <ul> <li>A close frame is now sent to the remote peer if an error (such as a data framing error) occurs (8806aa9a).</li> <li>The close code is now always 1006 if no close frame is received, even if the connection is closed due to an error (8806aa9a).</li> </ul> <h2>7.4.6</h2> <h1>Bug fixes</h1> <ul> <li>Fixed a ReDoS vulnerability (00c425ec).</li> </ul> <p>A specially crafted value of the <code>Sec-Websocket-Protocol</code> header could be used to significantly slow down a ws server.</p> <pre lang="js"><code>for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) { const value = 'b' + ' '.repeat(length) + 'x'; const start = process.hrtime.bigint(); <p>value.trim().split(/ *, */);</p> <p>const end = process.hrtime.bigint();</p> <p>console.log('length = %d, time = %f ns', length, end - start); } </code></pre></p> <p>The vulnerability was responsibly disclosed along with a fix in private by <a href="https://github.com/robmcl4">Robert McLaughlin</a> from University of California, Santa Barbara.</p> <p>In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the <a href="https://nodejs.org/api/cli.html#cli_max_http_header_size_size"><code>--max-http-header-size=size</code></a> and/or the <a href="https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener"><code>maxHeaderSize</code></a> options.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/websockets/ws/commit/e3f0c1720aab640fe78dc578907046fb84422ccd"><code>e3f0c17</code></a> [dist] 7.5.0</li> <li><a href="https://github.com/websockets/ws/commit/1d3f4cbb0ebb2519f6cc707e9f4344006d74ce03"><code>1d3f4cb</code></a> [doc] Fix anchor tags for error codes</li> <li><a href="https://github.com/websockets/ws/commit/6eea0d466b08a278c048092ee1cb06aee9f48cc9"><code>6eea0d4</code></a> [doc] Fix typo</li> <li><a href="https://github.com/websockets/ws/commit/bb5d44b11880861f9fb0429e2c132f435a78198b"><code>bb5d44b</code></a> [doc] Sort error codes alphabetically</li> <li><a href="https://github.com/websockets/ws/commit/c6e30806704cd1ff35282b85132bd29fca8acec8"><code>c6e3080</code></a> [minor] Attach error codes to all receiver errors (<a href="https://github-redirect.dependabot.com/websockets/ws/issues/1901">#1901</a>)</li> <li><a href="https://github.com/websockets/ws/commit/074e6a8be7275a69a407f6c1fa2270c754d2834b"><code>074e6a8</code></a> [fix] Don't call <code>ws.terminate()</code> unconditionally in <code>duplex._destroy()</code></li> <li><a href="https://github.com/websockets/ws/commit/8806aa9a836c3a616c9511adad159c65eeb153b0"><code>8806aa9</code></a> [fix] Close the connection cleanly when an error occurs</li> <li><a href="https://github.com/websockets/ws/commit/05b8ccd639a91428d7440ad350b8d4301636b2e2"><code>05b8ccd</code></a> [doc] Fix broken link (<a href="https://github-redirect.dependabot.com/websockets/ws/issues/1897">#1897</a>)</li> <li><a href="https://github.com/websockets/ws/commit/03a707884c591d56ad69c4c1ddd34cab0449b1fe"><code>03a7078</code></a> [doc] Remove unsafe regex from code snippet</li> <li><a href="https://github.com/websockets/ws/commit/7ee31157d7b14bb94e0d0fd223a4a5508f4c39b9"><code>7ee3115</code></a> [doc] Add logo to coverage badge</li> <li>Additional commits viewable in <a href="https://github.com/websockets/ws/compare/7.4.5...7.5.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> [skip ci] 235cc6a
- Loading branch information
1 parent
efb0862
commit 4d0b854