Snyk has created this PR to upgrade ws from 7.4.6 to 7.5.1.
:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version is 2 versions ahead of your current version.
The recommended version was released 3 days ago, on 2021-06-29.
A specially crafted value of the Sec-Websocket-Protocol header could be used
to significantly slow down a ws server.
for(constlengthof[1000,2000,4000,8000,16000,32000]){constvalue='b'+' '.repeat(length)+'x';conststart=process.hrtime.bigint();value.trim().split(/*, */);constend=process.hrtime.bigint();console.log('length = %d, time = %f ns',length,end-start);}
The vulnerability was responsibly disclosed along with a fix in private by Robert McLaughlin from University of California, Santa Barbara.
In vulnerable versions of ws, the issue can be mitigated by reducing the maximum
allowed length of the request headers using the --max-http-header-size=size
and/or the maxHeaderSize options.
Snyk has created this PR to upgrade ws from 7.4.6 to 7.5.1.
:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
Release notes
Package name: ws
-
7.5.1 - 2021-06-29
- Fixed an issue that prevented the connection from being closed properly if an
-
7.5.0 - 2021-06-16
- Some errors now have a
- A close frame is now sent to the remote peer if an error (such as a data
- The close code is now always 1006 if no close frame is received, even if the
-
7.4.6 - 2021-05-25
- Fixed a ReDoS vulnerability (00c425e).
from ws GitHub release notesBug fixes
error occurred simultaneously on both peers (b434b9f).
Features
codeproperty describing the specific type of errorthat has occurred (#1901).
Bug fixes
framing error) occurs (8806aa9).
connection is closed due to an error (8806aa9).
Bug fixes
A specially crafted value of the
Sec-Websocket-Protocolheader could be usedto significantly slow down a ws server.
The vulnerability was responsibly disclosed along with a fix in private by
Robert McLaughlin from University of California, Santa Barbara.
In vulnerable versions of ws, the issue can be mitigated by reducing the maximum
allowed length of the request headers using the
--max-http-header-size=sizeand/or the
maxHeaderSizeoptions.Commit messages
Package name: ws
- 38c6c73 [dist] 7.5.1
- 2916006 [test] Add more tests for `WebSocket.prototype.close()`
- b434b9f [fix] Fix close edge cases
- c3fdc99 [minor] Fix misleading comment
- 145480a [test] Fix repeated typo
- e3f0c17 [dist] 7.5.0
- 1d3f4cb [doc] Fix anchor tags for error codes
- 6eea0d4 [doc] Fix typo
- bb5d44b [doc] Sort error codes alphabetically
- c6e3080 [minor] Attach error codes to all receiver errors (#1901)
- 074e6a8 [fix] Don't call `ws.terminate()` unconditionally in `duplex._destroy()`
- 8806aa9 [fix] Close the connection cleanly when an error occurs
- 05b8ccd [doc] Fix broken link (#1897)
- 03a7078 [doc] Remove unsafe regex from code snippet
- 7ee3115 [doc] Add logo to coverage badge
- edff6bb [test] Fix nit
- 262e45a [test] Rename certificates and private keys files
- d18c677 [security] Update link to point to published security advisories
- 2f2b3e8 [test] Update certificates and private keys
- c05d51f [security] Add ReDoS vulnerability to SECURITY.md
CompareNote: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information:
🧐 View latest project report
🛠 Adjust upgrade PR settings
🔕 Ignore this dependency or unsubscribe from future upgrade PRs