Snyk has created this PR to upgrade ws from 7.4.6 to 7.5.0.
:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version is 1 version ahead of your current version.
The recommended version was released 22 days ago, on 2021-06-16.
A specially crafted value of the Sec-Websocket-Protocol header could be used
to significantly slow down a ws server.
for(constlengthof[1000,2000,4000,8000,16000,32000]){constvalue='b'+' '.repeat(length)+'x';conststart=process.hrtime.bigint();value.trim().split(/*, */);constend=process.hrtime.bigint();console.log('length = %d, time = %f ns',length,end-start);}
The vulnerability was responsibly disclosed along with a fix in private by Robert McLaughlin from University of California, Santa Barbara.
In vulnerable versions of ws, the issue can be mitigated by reducing the maximum
allowed length of the request headers using the --max-http-header-size=size
and/or the maxHeaderSize options.
Snyk has created this PR to upgrade ws from 7.4.6 to 7.5.0.
:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
Release notes
Package name: ws
Features
code
property describing the specific type of errorthat has occurred (#1901).
Bug fixes
framing error) occurs (8806aa9).
connection is closed due to an error (8806aa9).
Bug fixes
A specially crafted value of the
Sec-Websocket-Protocol
header could be usedto significantly slow down a ws server.
The vulnerability was responsibly disclosed along with a fix in private by
Robert McLaughlin from University of California, Santa Barbara.
In vulnerable versions of ws, the issue can be mitigated by reducing the maximum
allowed length of the request headers using the
--max-http-header-size=size
and/or the
maxHeaderSize
options.Commit messages
Package name: ws
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information:
🧐 View latest project report
🛠 Adjust upgrade PR settings
🔕 Ignore this dependency or unsubscribe from future upgrade PRs