Release notes
*Sourced from [ws's releases](https://github.com/websockets/ws/releases).*
> ## 1.1.5
> # Bug fixes
>
> - Fixed a DoS vulnerability (f8fdcd4).
>
> ## 1.1.4
> # Notable changes
>
> - Removed istanbul coverage folder from npm package (fac50ac).
>
> ## 1.1.3
> # Notable changes
>
> - Added support for `bufferutil@>1` and `utf-8-validate@>2` (b4cf110).
>
> ## 1.1.2
> # Bug fixes
> - The masking key is now generated using `crypto.randomBytes()` instead of
> `Math.random()` ([#994](https://github-redirect.dependabot.com/websockets/ws/issues/994)).
> - Fixed an issue that could cause a stack overflow crash (c1f3b21).
>
> ## 1.1.1
> https://github.com/websockets/ws/compare/1.1.0...1.1.1
>
> ## 1.1.0
> https://github.com/websockets/ws/compare/1.0.1...1.1.0
>
> ## Buffer vulnerability
> There has been vulnerability in the ping functionality of the `ws` module which allowed clients to allocate memory by simply sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but internally we always transform all data that we need to send to a `Buffer` instance and this is where the problem was. We didn't do any checks for the type of data we were sending. With buffers in node when you allocate it when a number instead of a string it will allocate the amount of bytes.
>
> ``` js
> var x = new Buffer(100);
> // vs
> var x = new Buffer('100');
> ```
>
> This would allocate 100 bytes of memory in the first example and just 3 bytes with `100` as value in the second example. So when the server would receive a ping message of `1000` it would allocate 1000 bytes on the server and returned non-zeroed buffer to the client instead of the actual `100` message.
>
> ``` js
> var ws = require('ws')
>
> var server = new ws.Server({ port: 9000 })
> var client = new ws('ws://localhost:9000')
>
> client.on('open', function () {
> console.log('open')
> client.ping(50) // this makes the server return a non-zeroed buffer of 50 bytes
>
> client.on('pong', function (data) {
> console.log('got pong')
> ... (truncated)
Commits
- [`24edef5`](https://github.com/websockets/ws/commit/24edef58a0aab05e8220f76bd2377614dd4eee85) [dist] 1.1.5
- [`f8fdcd4`](https://github.com/websockets/ws/commit/f8fdcd40ac8be7318a6ee41f5ceb7e77c995b407) [security] Fix DoS vulnerability
- [`f7cfc51`](https://github.com/websockets/ws/commit/f7cfc51a9f4364c80d43329e8e604aff00e89e2a) [pkg] Remove .npmignore in favor of `files` package.json field
- [`19106a1`](https://github.com/websockets/ws/commit/19106a14d1782bed6f3b12a612e1a73a4970fdbe) [dist] 1.1.4
- [`fac50ac`](https://github.com/websockets/ws/commit/fac50ac767d7ba27eb63f6b5fcc9390fdb2cbea7) [ignore] Add coverage folder to .npmignore
- [`3213205`](https://github.com/websockets/ws/commit/32132056da3a4223f86f4337ef633cebaebea9b0) [dist] 1.1.3
- [`b4cf110`](https://github.com/websockets/ws/commit/b4cf1100d83ded87ea0d087694234d4dd894d8f1) [fix] Add compatibility with bufferutil@>1 and utf-8-validate@>2
- [`98f0d21`](https://github.com/websockets/ws/commit/98f0d21f49c0d2c2daa175f840bc36c44d2729b1) [dist] 1.1.2
- [`b6ac431`](https://github.com/websockets/ws/commit/b6ac431e6b8b0b6400e172d6a4d1a4322044b6f1) [minor] Avoid using `process.nextTick()`
- [`c1f3b21`](https://github.com/websockets/ws/commit/c1f3b2102b802f16bc2b53623afaa7edefa940c9) [fix] Fix stack overflow crash
- Additional commits viewable in [compare view](https://github.com/websockets/ws/compare/0.8.1...1.1.5)
Maintainer changes
This version was pushed to npm by [lpinca](https://www.npmjs.com/~lpinca), a new releaser for ws since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/inProgress-team/react-native-meteor/network/alerts).
Bumps ws from 0.8.1 to 1.1.5.
Release notes
*Sourced from [ws's releases](https://github.com/websockets/ws/releases).* > ## 1.1.5 > # Bug fixes > > - Fixed a DoS vulnerability (f8fdcd4). > > ## 1.1.4 > # Notable changes > > - Removed istanbul coverage folder from npm package (fac50ac). > > ## 1.1.3 > # Notable changes > > - Added support for `bufferutil@>1` and `utf-8-validate@>2` (b4cf110). > > ## 1.1.2 > # Bug fixes > - The masking key is now generated using `crypto.randomBytes()` instead of > `Math.random()` ([#994](https://github-redirect.dependabot.com/websockets/ws/issues/994)). > - Fixed an issue that could cause a stack overflow crash (c1f3b21). > > ## 1.1.1 > https://github.com/websockets/ws/compare/1.1.0...1.1.1 > > ## 1.1.0 > https://github.com/websockets/ws/compare/1.0.1...1.1.0 > > ## Buffer vulnerability > There has been vulnerability in the ping functionality of the `ws` module which allowed clients to allocate memory by simply sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but internally we always transform all data that we need to send to a `Buffer` instance and this is where the problem was. We didn't do any checks for the type of data we were sending. With buffers in node when you allocate it when a number instead of a string it will allocate the amount of bytes. > > ``` js > var x = new Buffer(100); > // vs > var x = new Buffer('100'); > ``` > > This would allocate 100 bytes of memory in the first example and just 3 bytes with `100` as value in the second example. So when the server would receive a ping message of `1000` it would allocate 1000 bytes on the server and returned non-zeroed buffer to the client instead of the actual `100` message. > > ``` js > var ws = require('ws') > > var server = new ws.Server({ port: 9000 }) > var client = new ws('ws://localhost:9000') > > client.on('open', function () { > console.log('open') > client.ping(50) // this makes the server return a non-zeroed buffer of 50 bytes > > client.on('pong', function (data) { > console.log('got pong') > ... (truncated)Commits
- [`24edef5`](https://github.com/websockets/ws/commit/24edef58a0aab05e8220f76bd2377614dd4eee85) [dist] 1.1.5 - [`f8fdcd4`](https://github.com/websockets/ws/commit/f8fdcd40ac8be7318a6ee41f5ceb7e77c995b407) [security] Fix DoS vulnerability - [`f7cfc51`](https://github.com/websockets/ws/commit/f7cfc51a9f4364c80d43329e8e604aff00e89e2a) [pkg] Remove .npmignore in favor of `files` package.json field - [`19106a1`](https://github.com/websockets/ws/commit/19106a14d1782bed6f3b12a612e1a73a4970fdbe) [dist] 1.1.4 - [`fac50ac`](https://github.com/websockets/ws/commit/fac50ac767d7ba27eb63f6b5fcc9390fdb2cbea7) [ignore] Add coverage folder to .npmignore - [`3213205`](https://github.com/websockets/ws/commit/32132056da3a4223f86f4337ef633cebaebea9b0) [dist] 1.1.3 - [`b4cf110`](https://github.com/websockets/ws/commit/b4cf1100d83ded87ea0d087694234d4dd894d8f1) [fix] Add compatibility with bufferutil@>1 and utf-8-validate@>2 - [`98f0d21`](https://github.com/websockets/ws/commit/98f0d21f49c0d2c2daa175f840bc36c44d2729b1) [dist] 1.1.2 - [`b6ac431`](https://github.com/websockets/ws/commit/b6ac431e6b8b0b6400e172d6a4d1a4322044b6f1) [minor] Avoid using `process.nextTick()` - [`c1f3b21`](https://github.com/websockets/ws/commit/c1f3b2102b802f16bc2b53623afaa7edefa940c9) [fix] Fix stack overflow crash - Additional commits viewable in [compare view](https://github.com/websockets/ws/compare/0.8.1...1.1.5)Maintainer changes
This version was pushed to npm by [lpinca](https://www.npmjs.com/~lpinca), a new releaser for ws since your current version.Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/inProgress-team/react-native-meteor/network/alerts).