In vulnerable versions of ws, the issue can be mitigated in the following ways:
Reduce the maximum allowed length of the request headers using the
[--max-http-header-size=size][] and/or the [maxHeaderSize][] options so
that no more headers than the server.maxHeadersCount limit can be sent.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/miguelgrinberg/python-engineio/network/alerts).
Bumps ws to 8.17.1 and updates ancestor dependencies ws, engine.io and engine.io-client. These dependencies need to be updated together.
Updates
ws
from 8.11.0 to 8.17.1Release notes
Sourced from ws's releases.
... (truncated)
Commits
3c56601
[dist] 8.17.1e55e510
[security] Fix crash when the Upgrade header cannot be read (#2231)6a00029
[test] Increase code coverageddfe4a8
[perf] Reduce the amount ofcrypto.randomFillSync()
callsb73b118
[dist] 8.17.029694a5
[test] Use thehighWaterMark
variable934c9d6
[ci] Test on node 221817bac
[ci] Do not test on node 2196c9b3d
[major] Flip the default value ofallowSynchronousEvents
(#2221)e5f32c7
[fix] Emit at most one event per event loop iteration (#2218)Updates
engine.io
from 6.4.2 to 6.6.0Release notes
Sourced from engine.io's releases.
... (truncated)
Changelog
Sourced from engine.io's changelog.
... (truncated)
Commits
791aa58
chore(release): 6.6.06d8a0be
refactor: move thereq
attribute to the polling classc310b7b
refactor: improve types362bc78
fix: properly call the send callback during upgradeafd2934
chore(dev-deps): bump ws and engine.io-client in /examples/memory-usage (#703)56c4664
chore(deps-dev): bump braces from 3.0.2 to 3.0.3 (#701)6b9e3e4
refactor: improve typesf521cba
refactor: simplify the heartbeat code5359bae
perf: do not reset the hearbeat timer on each packetd3f45dc
docs(changelog): add release notes for versions 3.6.2 and 6.5.5Updates
engine.io-client
from 4.1.4 to 6.6.0Release notes
Sourced from engine.io-client's releases.
... (truncated)
Changelog
Sourced from engine.io-client's changelog.
... (truncated)
Commits
a17cbc5
chore(release): 6.6.072408ad
docs(changelog): include release notes from versions 3.5.3, 3.5.4 and 6.5.4e97a4d3
chore: bump ws from 8.11.0 to 8.17.1 (#720)b624c50
fix: add some randomness to the cache busting string generatorc087dc5
docs(changelog): include the size of the bundlece13763
ci: upgrade to actions/checkout@4 and actions/setup-node@474cfb98
refactor: prefix private attributes to allow property mangling2b9abbb
chore: restore the debug package in the dev bundlee105551
fix: fix cookie management with WebSocket (Node.js only)3f66478
chore: remove unused rollup pluginDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show