ansble / monument

event based http server for nodejs
http://monument.ansble.com
MIT License
34 stars 45 forks source link

[Snyk] Security upgrade ws from 6.0.0 to 7.4.6 #666

Open snyk-bot opened 3 years ago

snyk-bot commented 3 years ago

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

merge advice

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 551/1000
Why? Recently disclosed, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-WS-1296835
Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: ws The new version differs by 242 commits.
  • f5297f7 [dist] 7.4.6
  • 00c425e [security] Fix ReDoS vulnerability
  • 990306d [lint] Fix prettier error
  • 32e3a84 [security] Remove reference to Node Security Project
  • 8c914d1 [minor] Fix nits
  • fc7e27d [ci] Test on node 16
  • 587c201 [ci] Do not test on node 15
  • f672710 [dist] 7.4.5
  • 67e25ff [fix] Fix case where `abortHandshake()` does not close the connection
  • 23ba6b2 [fix] Make UTF-8 validation work even if utf-8-validate is not installed
  • 114de9e [ci] Use a unique ID instead of commit SHA
  • d75a62e [ci] Include commit SHA in `flag-name`
  • a74dd2e [dist] 7.4.4
  • 9277437 [fix] Recreate the inflate stream if it ends
  • cbff929 [doc] Improve `websocket.terminate()` documentation
  • 489a295 [ci] Use GitHub Actions (#1853)
  • 77370e0 [pkg] Update eslint-config-prettier to version 8.1.0
  • 99338f7 [doc] Fix `data` argument type (#1843)
  • 223194e [dist] 7.4.3
  • 4e9607b [perf] Reset compressor/decompressor instead of re-initialize (#1840)
  • 2789887 [minor] Use `request.socket` instead of `request.connection`
  • 2079ca5 [test] Increase code coverage
  • d1a8af4 [dist] 7.4.2
  • 48a2349 [pkg] Update eslint-config-prettier to version 7.1.0
See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic