Release notes
*Sourced from [ws's releases](https://github.com/websockets/ws/releases).*
> ## 3.3.1
> # Bug fixes
>
> - Fixed a DoS vulnerability (c4fe466).
>
> A specially crafted value of the `Sec-WebSocket-Extensions` header that
> used `Object.prototype` property names as extension or parameter names
> could be used to make a ws server crash.
>
> ```js
> const WebSocket = require('ws');
> const net = require('net');
>
> const wss = new WebSocket.Server({ port: 3000 }, function () {
> const payload = 'constructor'; // or ',;constructor'
>
> const request = [
> 'GET / HTTP/1.1',
> 'Connection: Upgrade',
> 'Sec-WebSocket-Key: test',
> 'Sec-WebSocket-Version: 8',
> `Sec-WebSocket-Extensions: ${payload}`,
> 'Upgrade: websocket',
> '\r\n'
> ].join('\r\n');
>
> const socket = net.connect(3000, function () {
> socket.resume();
> socket.write(request);
> });
> });
> ```
>
> The vulnerability has been privately reported by Nick Starke and
> Ryan Knell of Sonatype Security Research and promptly fixed. Please
> update now!
>
> ## 3.3.0
> # Features
>
> - Added `ecdhCurve` option ([#1228](https://github-redirect.dependabot.com/websockets/ws/issues/1228)).
>
> ## 3.2.0
> # Features
>
> - Added ability to specify the compression level ([#1199](https://github-redirect.dependabot.com/websockets/ws/issues/1199)).
> - Added ability to limit the number of concurrent calls to zlib ([#1204](https://github-redirect.dependabot.com/websockets/ws/issues/1204)).
>
> ## 3.1.0
> # Features
> ... (truncated)
Commits
- [`70eb3b2`](https://github.com/websockets/ws/commit/70eb3b2f6284a361768ea518acb072d13986dade) [dist] 3.3.1
- [`c4fe466`](https://github.com/websockets/ws/commit/c4fe46608acd61fbf7397eadc47378903f95b78a) [security] Fix DoS vulnerability
- [`56f8062`](https://github.com/websockets/ws/commit/56f80625399de02abfe6c0d718ea5a8939969318) [dist] 3.3.0
- [`72751d3`](https://github.com/websockets/ws/commit/72751d3d72007f64f97f14f1d4472665b6354e63) [test] Skip `family` option test if IPv6 is not supported
- [`e5772a3`](https://github.com/websockets/ws/commit/e5772a35f151f397f6b555ee3a947b4654c95676) chore(package): update nyc to version 11.3.0 ([#1230](https://github-redirect.dependabot.com/websockets/ws/issues/1230))
- [`db729ef`](https://github.com/websockets/ws/commit/db729efe920d8ebca53254c5cbf0a57f7f43744a) [doc] Add documentation for the `ecdhCurve` option
- [`d0741fa`](https://github.com/websockets/ws/commit/d0741faeec6fc6bc6db163545b3534ed822f6cf3) [feature] Add ecdhCurve option ([#1228](https://github-redirect.dependabot.com/websockets/ws/issues/1228))
- [`9303db3`](https://github.com/websockets/ws/commit/9303db3cfafcc1f97e27501d5d3ddc4079f15f5c) [ci] Test on node 9
- [`48b0496`](https://github.com/websockets/ws/commit/48b0496879899f35602856d80460926a4a6c299d) [ci] Do not test on node 4.1.0, use 4.2.0 instead
- [`d6934af`](https://github.com/websockets/ws/commit/d6934afcf22afed25b1b9fd06bd4b1df66659aae) [test] Fix error validation on node 9
- Additional commits viewable in [compare view](https://github.com/websockets/ws/compare/2.2.3...3.3.1)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/yfsoftcom/pi/network/alerts).
Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot rebase.
Bumps ws from 2.2.3 to 3.3.1.
Release notes
*Sourced from [ws's releases](https://github.com/websockets/ws/releases).* > ## 3.3.1 > # Bug fixes > > - Fixed a DoS vulnerability (c4fe466). > > A specially crafted value of the `Sec-WebSocket-Extensions` header that > used `Object.prototype` property names as extension or parameter names > could be used to make a ws server crash. > > ```js > const WebSocket = require('ws'); > const net = require('net'); > > const wss = new WebSocket.Server({ port: 3000 }, function () { > const payload = 'constructor'; // or ',;constructor' > > const request = [ > 'GET / HTTP/1.1', > 'Connection: Upgrade', > 'Sec-WebSocket-Key: test', > 'Sec-WebSocket-Version: 8', > `Sec-WebSocket-Extensions: ${payload}`, > 'Upgrade: websocket', > '\r\n' > ].join('\r\n'); > > const socket = net.connect(3000, function () { > socket.resume(); > socket.write(request); > }); > }); > ``` > > The vulnerability has been privately reported by Nick Starke and > Ryan Knell of Sonatype Security Research and promptly fixed. Please > update now! > > ## 3.3.0 > # Features > > - Added `ecdhCurve` option ([#1228](https://github-redirect.dependabot.com/websockets/ws/issues/1228)). > > ## 3.2.0 > # Features > > - Added ability to specify the compression level ([#1199](https://github-redirect.dependabot.com/websockets/ws/issues/1199)). > - Added ability to limit the number of concurrent calls to zlib ([#1204](https://github-redirect.dependabot.com/websockets/ws/issues/1204)). > > ## 3.1.0 > # Features > ... (truncated)Commits
- [`70eb3b2`](https://github.com/websockets/ws/commit/70eb3b2f6284a361768ea518acb072d13986dade) [dist] 3.3.1 - [`c4fe466`](https://github.com/websockets/ws/commit/c4fe46608acd61fbf7397eadc47378903f95b78a) [security] Fix DoS vulnerability - [`56f8062`](https://github.com/websockets/ws/commit/56f80625399de02abfe6c0d718ea5a8939969318) [dist] 3.3.0 - [`72751d3`](https://github.com/websockets/ws/commit/72751d3d72007f64f97f14f1d4472665b6354e63) [test] Skip `family` option test if IPv6 is not supported - [`e5772a3`](https://github.com/websockets/ws/commit/e5772a35f151f397f6b555ee3a947b4654c95676) chore(package): update nyc to version 11.3.0 ([#1230](https://github-redirect.dependabot.com/websockets/ws/issues/1230)) - [`db729ef`](https://github.com/websockets/ws/commit/db729efe920d8ebca53254c5cbf0a57f7f43744a) [doc] Add documentation for the `ecdhCurve` option - [`d0741fa`](https://github.com/websockets/ws/commit/d0741faeec6fc6bc6db163545b3534ed822f6cf3) [feature] Add ecdhCurve option ([#1228](https://github-redirect.dependabot.com/websockets/ws/issues/1228)) - [`9303db3`](https://github.com/websockets/ws/commit/9303db3cfafcc1f97e27501d5d3ddc4079f15f5c) [ci] Test on node 9 - [`48b0496`](https://github.com/websockets/ws/commit/48b0496879899f35602856d80460926a4a6c299d) [ci] Do not test on node 4.1.0, use 4.2.0 instead - [`d6934af`](https://github.com/websockets/ws/commit/d6934afcf22afed25b1b9fd06bd4b1df66659aae) [test] Fix error validation on node 9 - Additional commits viewable in [compare view](https://github.com/websockets/ws/compare/2.2.3...3.3.1)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/yfsoftcom/pi/network/alerts).