renovate[bot]
commented
3 months ago ⚠️ Artifact update problem
Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.
♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
- any of the package files in this branch needs updating, or
- the branch becomes conflicted, or
- you click the rebase/retry checkbox if found above, or
- you rename this PR's title to start with "rebase!" to trigger it manually
The artifact failure details are included below:
File name: yarn.lock
[16:29:27.694] INFO (53): Installing tool node@9.11.2...
[16:29:36.516] WARN (53): Npm error:
npm ERR! weird error 1
[16:29:36.516] FATAL (53): node-gyp update command failed
err: {
"type": "Error",
"message": "node-gyp update command failed",
"stack":
Error: node-gyp update command failed
at InstallNodeService.updateNodeGyp (/snapshot/dist/containerbase-cli.js:51351:13)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async InstallNodeService.install (/snapshot/dist/containerbase-cli.js:51615:7)
at async InstallToolService.execute (/snapshot/dist/containerbase-cli.js:52185:11)
at async InstallToolShortCommand.execute (/snapshot/dist/containerbase-cli.js:52434:14)
at async InstallToolShortCommand.validateAndExecute (/snapshot/dist/containerbase-cli.js:2428:26)
at async _Cli.run (/snapshot/dist/containerbase-cli.js:3541:22)
at async _Cli.runExit (/snapshot/dist/containerbase-cli.js:3549:28)
at async main (/snapshot/dist/containerbase-cli.js:52628:3)
}
[16:29:36.916] INFO (53): Installed tool node with errors in 9.2s.
This PR contains the following updates:
6.2.2->6.2.3GitHub Vulnerability Alerts
CVE-2024-37890
Impact
A request with a number of headers exceeding the
server.maxHeadersCountthreshold could be used to crash a ws server.Proof of concept
Patches
The vulnerability was fixed in ws@8.17.1 (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to ws@7.5.10 (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), ws@6.2.3 (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and ws@5.2.4 (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)
Workarounds
In vulnerable versions of ws, the issue can be mitigated in the following ways:
--max-http-header-size=sizeand/or themaxHeaderSizeoptions so that no more headers than theserver.maxHeadersCountlimit can be sent.server.maxHeadersCountto0so that no limit is applied.Credits
The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.
References
Release Notes
websockets/ws (ws)
### [`v6.2.3`](https://togithub.com/websockets/ws/releases/tag/6.2.3) [Compare Source](https://togithub.com/websockets/ws/compare/6.2.2...6.2.3) ### Bug fixes - Backported [`e55e510`](https://togithub.com/websockets/ws/commit/e55e5106) to the 6.x release line ([`eeb76d3`](https://togithub.com/websockets/ws/commit/eeb76d31)).Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.