yfsoftcom / pi

pi
1 stars 0 forks source link

Bump ws from 2.2.3 to 3.3.1 #3

Open dependabot[bot] opened 4 years ago

dependabot[bot] commented 4 years ago

Bumps ws from 2.2.3 to 3.3.1.

Release notes *Sourced from [ws's releases](https://github.com/websockets/ws/releases).* > ## 3.3.1 > # Bug fixes > > - Fixed a DoS vulnerability (c4fe466). > > A specially crafted value of the `Sec-WebSocket-Extensions` header that > used `Object.prototype` property names as extension or parameter names > could be used to make a ws server crash. > > ```js > const WebSocket = require('ws'); > const net = require('net'); > > const wss = new WebSocket.Server({ port: 3000 }, function () { > const payload = 'constructor'; // or ',;constructor' > > const request = [ > 'GET / HTTP/1.1', > 'Connection: Upgrade', > 'Sec-WebSocket-Key: test', > 'Sec-WebSocket-Version: 8', > `Sec-WebSocket-Extensions: ${payload}`, > 'Upgrade: websocket', > '\r\n' > ].join('\r\n'); > > const socket = net.connect(3000, function () { > socket.resume(); > socket.write(request); > }); > }); > ``` > > The vulnerability has been privately reported by Nick Starke and > Ryan Knell of Sonatype Security Research and promptly fixed. Please > update now! > > ## 3.3.0 > # Features > > - Added `ecdhCurve` option ([#1228](https://github-redirect.dependabot.com/websockets/ws/issues/1228)). > > ## 3.2.0 > # Features > > - Added ability to specify the compression level ([#1199](https://github-redirect.dependabot.com/websockets/ws/issues/1199)). > - Added ability to limit the number of concurrent calls to zlib ([#1204](https://github-redirect.dependabot.com/websockets/ws/issues/1204)). > > ## 3.1.0 > # Features > ... (truncated)
Commits - [`70eb3b2`](https://github.com/websockets/ws/commit/70eb3b2f6284a361768ea518acb072d13986dade) [dist] 3.3.1 - [`c4fe466`](https://github.com/websockets/ws/commit/c4fe46608acd61fbf7397eadc47378903f95b78a) [security] Fix DoS vulnerability - [`56f8062`](https://github.com/websockets/ws/commit/56f80625399de02abfe6c0d718ea5a8939969318) [dist] 3.3.0 - [`72751d3`](https://github.com/websockets/ws/commit/72751d3d72007f64f97f14f1d4472665b6354e63) [test] Skip `family` option test if IPv6 is not supported - [`e5772a3`](https://github.com/websockets/ws/commit/e5772a35f151f397f6b555ee3a947b4654c95676) chore(package): update nyc to version 11.3.0 ([#1230](https://github-redirect.dependabot.com/websockets/ws/issues/1230)) - [`db729ef`](https://github.com/websockets/ws/commit/db729efe920d8ebca53254c5cbf0a57f7f43744a) [doc] Add documentation for the `ecdhCurve` option - [`d0741fa`](https://github.com/websockets/ws/commit/d0741faeec6fc6bc6db163545b3534ed822f6cf3) [feature] Add ecdhCurve option ([#1228](https://github-redirect.dependabot.com/websockets/ws/issues/1228)) - [`9303db3`](https://github.com/websockets/ws/commit/9303db3cfafcc1f97e27501d5d3ddc4079f15f5c) [ci] Test on node 9 - [`48b0496`](https://github.com/websockets/ws/commit/48b0496879899f35602856d80460926a4a6c299d) [ci] Do not test on node 4.1.0, use 4.2.0 instead - [`d6934af`](https://github.com/websockets/ws/commit/d6934afcf22afed25b1b9fd06bd4b1df66659aae) [test] Fix error validation on node 9 - Additional commits viewable in [compare view](https://github.com/websockets/ws/compare/2.2.3...3.3.1)


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/yfsoftcom/pi/network/alerts).
dependabot[bot] commented 4 years ago

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot rebase.