In vulnerable versions of ws, the issue can be mitigated in the following ways:
Reduce the maximum allowed length of the request headers using the
[--max-http-header-size=size][] and/or the [maxHeaderSize][] options so
that no more headers than the server.maxHeadersCount limit can be sent.
the ClusterAdapter class, which manages the messages sent between the server instances of the cluster
the ClusterAdapterWithHeartbeat class, which extends the ClusterAdapter and adds a heartbeat mechanism in order to check the healthiness of the other instances
Other adapters can then just extend those classes and only have to implement the pub/sub mechanism (and not the internal chit-chat protocol):
Besides, the number of "timeout reached: only x responses received out of y" errors (which can happen when a server instance leaves the cluster) should be greatly reduced by this commit.
Bug Fixes
cluster: fix count in fetchSockets() method (80af4e9)
cluster: notify the other nodes when closing (0e23ff0)
the ClusterAdapter class, which manages the messages sent between the server instances of the cluster
the ClusterAdapterWithHeartbeat class, which extends the ClusterAdapter and adds a heartbeat mechanism in order to check the healthiness of the other instances
Other adapters can then just extend those classes and only have to implement the pub/sub mechanism (and not the internal chit-chat protocol):
Besides, the number of "timeout reached: only x responses received out of y" errors (which can happen when a server instance leaves the cluster) should be greatly reduced by this commit.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/servo/servo.org/network/alerts).
Bumps ws, engine.io-client, engine.io and socket.io-adapter. These dependencies needed to be updated together. Updates
ws
from 8.11.0 to 8.17.1Release notes
Sourced from ws's releases.
... (truncated)
Commits
3c56601
[dist] 8.17.1e55e510
[security] Fix crash when the Upgrade header cannot be read (#2231)6a00029
[test] Increase code coverageddfe4a8
[perf] Reduce the amount ofcrypto.randomFillSync()
callsb73b118
[dist] 8.17.029694a5
[test] Use thehighWaterMark
variable934c9d6
[ci] Test on node 221817bac
[ci] Do not test on node 2196c9b3d
[major] Flip the default value ofallowSynchronousEvents
(#2221)e5f32c7
[fix] Emit at most one event per event loop iteration (#2218)Updates
engine.io-client
from 6.5.2 to 6.5.4Release notes
Sourced from engine.io-client's releases.
Changelog
Sourced from engine.io-client's changelog.
Commits
454940d
chore(release): 6.5.40eb956b
chore: bump ws to version 8.17.1fa47916
chore(release): 6.5.3ef9ad7d
ci: add Node.js 20 in the test matrix707597d
fix: add a maximum length for the URL8d86e0d
chore: bump browserify-sign from 4.2.1 to 4.2.2 (#713)f2aca29
chore: bump@babel/traverse
from 7.12.9 to 7.23.2 (#712)c1795ef
refactor: export TransportError (#709)46ef851
fix: improve compatibility with node16 module resolution (#711)3dcb88c
docs: add note about the agent optionUpdates
engine.io
from 6.5.2 to 6.5.5Release notes
Sourced from engine.io's releases.
Changelog
Sourced from engine.io's changelog.
Commits
0cb977a
chore(release): 6.5.5adaa207
chore(deps): bump ws from 8.11.0 to 8.17.1 (#702)0efa04b
fix(types): make socket.request writable (#697)ff0fbfb
chore(release): 6.5.409acb17
ci: add Node.js 20 in the test matrix39937f8
refactor: minor cleanups43c1c1c
refactor: simplify code3b5e79e
refactor: remove useless referencesf27a6c3
refactor: remove useless reference2da559a
chore(release): 6.5.3Updates
socket.io-adapter
from 2.5.2 to 2.5.5Release notes
Sourced from socket.io-adapter's releases.
... (truncated)
Changelog
Sourced from socket.io-adapter's changelog.
... (truncated)
Commits
05a190a
chore(release): 6.5.593fe190
chore(deps): bump ws from 8.11.0 to 8.17.1 (#93)5eae5a0
chore(release): 2.5.4005d546
ci: test with older TypeScript versiona13f35f
fix: ensure the order of the commands207c0db
refactor: break circular dependency (2)abc93a9
refactor: break circular dependency (1)9d4c4a7
refactor(cluster): export ClusterAdapterOptions and MessageType typesca397f3
fix(types): ensure compatibility with TypeScript < 4.5549156c
chore(release): 2.5.3Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show