ThunderNetworkRaD/tn-api.js
2
0
Fork 0
Code Issues 5 Pull requests 4 Projects Releases 14 Packages Wiki Activity Actions

Bump ws and engine.io-client #2

Closed
dependabot[bot] wants to merge 1 commit from dependabot/npm_and_yarn/multi-1729a3ee87 into main
pull from: dependabot/npm_and_yarn/multi-1729a3ee87
merge into: ThunderNetworkRaD:main
Conversation 1 Commits 1 Files changed 2 +18 -20
dependabot[bot] commented 2024-07-29 12:35:46 +02:00 (Migrated from github.com)
Copy link

Bumps ws and engine.io-client. These dependencies needed to be updated together.
Updates ws from 8.11.0 to 8.17.1

Release notes

Sourced from ws's releases.

8.17.1

Bug fixes

  • Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;


for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;


for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';

if (++count === 2000) break;

}




}


headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';


const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});


request.end();
});

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

In vulnerable versions of ws, the issue can be mitigated in the following ways:

  1. Reduce the maximum allowed length of the request headers using the [--max-http-header-size=size][] and/or the [maxHeaderSize][] options so that no more headers than the server.maxHeadersCount limit can be sent.

... (truncated)

Commits
  • 3c56601 [dist] 8.17.1
  • e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
  • 6a00029 [test] Increase code coverage
  • ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
  • b73b118 [dist] 8.17.0
  • 29694a5 [test] Use the highWaterMark variable
  • 934c9d6 [ci] Test on node 22
  • 1817bac [ci] Do not test on node 21
  • 96c9b3d [major] Flip the default value of allowSynchronousEvents (#2221)
  • e5f32c7 [fix] Emit at most one event per event loop iteration (#2218)
  • Additional commits viewable in compare view

Updates engine.io-client from 6.5.3 to 6.5.4

Release notes

Sourced from engine.io-client's releases.

6.5.4

This release contains a bump of the ws dependency, which includes an important security fix.

Advisory: https://github.com/advisories/GHSA-3h5v-q93c-6h6q

Links

Changelog

Sourced from engine.io-client's changelog.

6.5.4 (2024-06-18)

This release contains a bump of the ws dependency, which includes an important security fix.

Advisory: https://github.com/advisories/GHSA-3h5v-q93c-6h6q

Dependencies

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.
Bumps [ws](https://github.com/websockets/ws) and [engine.io-client](https://github.com/socketio/engine.io-client). These dependencies needed to be updated together. Updates `ws` from 8.11.0 to 8.17.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/websockets/ws/releases">ws's releases</a>.</em></p> <blockquote> <h2>8.17.1</h2> <h1>Bug fixes</h1> <ul> <li>Fixed a DoS vulnerability (<a href="https://redirect.github.com/websockets/ws/issues/2231">#2231</a>).</li> </ul> <p>A request with a number of headers exceeding the[<code>server.maxHeadersCount</code>][] threshold could be used to crash a ws server.</p> <pre lang="js"><code>const http = require('http'); const WebSocket = require('ws'); <p>const wss = new WebSocket.Server({ port: 0 }, function () { const chars = &quot;!#$%&amp;'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~&quot;.split(''); const headers = {}; let count = 0;</p> <p>for (let i = 0; i &lt; chars.length; i++) { if (count === 2000) break;</p> <pre><code>for (let j = 0; j &amp;lt; chars.length; j++) { const key = chars[i] + chars[j]; headers[key] = 'x'; if (++count === 2000) break; } </code></pre> <p>}</p> <p>headers.Connection = 'Upgrade'; headers.Upgrade = 'websocket'; headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ=='; headers['Sec-WebSocket-Version'] = '13';</p> <p>const request = http.request({ headers: headers, host: '127.0.0.1', port: wss.address().port });</p> <p>request.end(); }); </code></pre></p> <p>The vulnerability was reported by <a href="https://github.com/rrlapointe">Ryan LaPointe</a> in <a href="https://redirect.github.com/websockets/ws/issues/2230">websockets/ws#2230</a>.</p> <p>In vulnerable versions of ws, the issue can be mitigated in the following ways:</p> <ol> <li>Reduce the maximum allowed length of the request headers using the [<code>--max-http-header-size=size</code>][] and/or the [<code>maxHeaderSize</code>][] options so that no more headers than the <code>server.maxHeadersCount</code> limit can be sent.</li> </ol> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/websockets/ws/commit/3c56601092872f7d7566989f0e379271afd0e4a1"><code>3c56601</code></a> [dist] 8.17.1</li> <li><a href="https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c"><code>e55e510</code></a> [security] Fix crash when the Upgrade header cannot be read (<a href="https://redirect.github.com/websockets/ws/issues/2231">#2231</a>)</li> <li><a href="https://github.com/websockets/ws/commit/6a00029edd924499f892aed8003cef1fa724cfe5"><code>6a00029</code></a> [test] Increase code coverage</li> <li><a href="https://github.com/websockets/ws/commit/ddfe4a804d79e7788ab136290e609f91cf68423f"><code>ddfe4a8</code></a> [perf] Reduce the amount of <code>crypto.randomFillSync()</code> calls</li> <li><a href="https://github.com/websockets/ws/commit/b73b11828d166e9692a9bffe9c01a7e93bab04a8"><code>b73b118</code></a> [dist] 8.17.0</li> <li><a href="https://github.com/websockets/ws/commit/29694a5905fa703e86667928e6bacac397469471"><code>29694a5</code></a> [test] Use the <code>highWaterMark</code> variable</li> <li><a href="https://github.com/websockets/ws/commit/934c9d6b938b93c045cb13e5f7c19c27a8dd925a"><code>934c9d6</code></a> [ci] Test on node 22</li> <li><a href="https://github.com/websockets/ws/commit/1817bac06e1204bfb578b8b3f4bafd0fa09623d0"><code>1817bac</code></a> [ci] Do not test on node 21</li> <li><a href="https://github.com/websockets/ws/commit/96c9b3deddf56cacb2d756aaa918071e03cdbc42"><code>96c9b3d</code></a> [major] Flip the default value of <code>allowSynchronousEvents</code> (<a href="https://redirect.github.com/websockets/ws/issues/2221">#2221</a>)</li> <li><a href="https://github.com/websockets/ws/commit/e5f32c7e1e6d3d19cd4a1fdec84890e154db30c1"><code>e5f32c7</code></a> [fix] Emit at most one event per event loop iteration (<a href="https://redirect.github.com/websockets/ws/issues/2218">#2218</a>)</li> <li>Additional commits viewable in <a href="https://github.com/websockets/ws/compare/8.11.0...8.17.1">compare view</a></li> </ul> </details> <br /> Updates `engine.io-client` from 6.5.3 to 6.5.4 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/socketio/engine.io-client/releases">engine.io-client's releases</a>.</em></p> <blockquote> <h2>6.5.4</h2> <p>This release contains a bump of the <code>ws</code> dependency, which includes an important <a href="https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c">security fix</a>.</p> <p>Advisory: <a href="https://github.com/advisories/GHSA-3h5v-q93c-6h6q">https://github.com/advisories/GHSA-3h5v-q93c-6h6q</a></p> <h4>Links</h4> <ul> <li>Diff: <a href="https://github.com/socketio/engine.io-client/compare/6.5.3...6.5.4">https://github.com/socketio/engine.io-client/compare/6.5.3...6.5.4</a></li> <li>Server release: -</li> <li><a href="https://github.com/websockets/ws/releases/tag/8.17.1"><code>ws@~8.17.1</code></a> (<a href="https://github.com/websockets/ws/compare/8.11.0...8.17.1">diff</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/socketio/engine.io-client/blob/6.5.4/CHANGELOG.md">engine.io-client's changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/socketio/engine.io-client/compare/6.5.3...6.5.4">6.5.4</a> (2024-06-18)</h2> <p>This release contains a bump of the <code>ws</code> dependency, which includes an important <a href="https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c">security fix</a>.</p> <p>Advisory: <a href="https://github.com/advisories/GHSA-3h5v-q93c-6h6q">https://github.com/advisories/GHSA-3h5v-q93c-6h6q</a></p> <h3>Dependencies</h3> <ul> <li><a href="https://github.com/websockets/ws/releases/tag/8.17.1"><code>ws@~8.17.1</code></a> (<a href="https://github.com/websockets/ws/compare/8.11.0...8.17.1">diff</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/socketio/engine.io-client/commit/454940dc990367caa5610632de6e36ec51926eeb"><code>454940d</code></a> chore(release): 6.5.4</li> <li><a href="https://github.com/socketio/engine.io-client/commit/0eb956b5c0e55bfd4e217d3e327ad06634bfac39"><code>0eb956b</code></a> chore: bump ws to version 8.17.1</li> <li>See full diff in <a href="https://github.com/socketio/engine.io-client/compare/6.5.3...6.5.4">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/ThunderNetworkRaD/tn-api.js/network/alerts). </details>
dependabot[bot] commented 2024-07-29 20:39:47 +02:00 (Migrated from github.com)
Copy link

OK, I won't notify you again about this release, but will get in touch when a new version is available.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

Pull request closed

This pull request cannot be reopened because the branch was deleted.
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
dependencies

Pull requests that update a dependency file

  
Kind/Breaking

Breaking change that won't be backward compatible

  
Kind/Bug

Something is not working

  
Kind/Documentation

Documentation changes

  
Kind/Endpoint

   
Kind/Enhancement

Improve existing functionality

  
Kind/Feature

New functionality

  
Kind/Identifier

   
Kind/Security

This is security issue

  
Kind/Testing

Issue or pull request related to testing

  
Migrated

   
Priority/Critical

The priority is critical

  
Priority/High

The priority is high

  
Priority/Low

The priority is low

  
Priority/Medium

The priority is medium

  
Reviewed/Confirmed

Issue has been confirmed

  
Reviewed/Duplicate

This issue or pull request already exists

  
Reviewed/Invalid

Invalid issue

  
Reviewed/Won't Fix

This issue won't be fixed

  
Status/Abandoned

Somebody has started to work on this but abandoned work

  
Status/Blocked

Something is blocking this issue or pull request

  
Status/Need More Info

Feedback is required to reproduce issue or to continue work

  
Compat
Breaking
Breaking change that won't be backward compatible

  
Kind
Bug
Something is not working

  
Kind
Documentation
Documentation changes

  
Kind
Enhancement
Improve existing functionality

  
Kind
Feature
New functionality

  
Kind
Security
This is security issue

  
Kind
Testing
Issue or pull request related to testing

  
Priority
Critical
The priority is critical

  
Priority
High
The priority is high

  
Priority
Low
The priority is low

  
Priority
Medium
The priority is medium

  
Reviewed
Confirmed
Issue has been confirmed

  
Reviewed
Duplicate
This issue or pull request already exists

  
Reviewed
Invalid
Invalid issue

  
Reviewed
Won't Fix
This issue won't be fixed

  
Status
Abandoned
Somebody has started to work on this but abandoned work

  
Status
Blocked
Something is blocking this issue or pull request

  
Status
Need More Info
Feedback is required to reproduce issue or to continue work

No labels
dependencies
Kind/Breaking
Kind/Bug
Kind/Documentation
Kind/Endpoint
Kind/Enhancement
Kind/Feature
Kind/Identifier
Kind/Security
Kind/Testing
Migrated
Priority/Critical
Priority/High
Priority/Low
Priority/Medium
Reviewed/Confirmed
Reviewed/Duplicate
Reviewed/Invalid
Reviewed/Won't Fix
Status/Abandoned
Status/Blocked
Status/Need More Info
Compat
Breaking
Kind
Bug
Kind
Documentation
Kind
Enhancement
Kind
Feature
Kind
Security
Kind
Testing
Priority
Critical
Priority
High
Priority
Low
Priority
Medium
Reviewed
Confirmed
Reviewed
Duplicate
Reviewed
Invalid
Reviewed
Won't Fix
Status
Abandoned
Status
Blocked
Status
Need More Info
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: ThunderNetworkRaD/tn-api.js#2
No description provided.
Delete branch "dependabot/npm_and_yarn/multi-1729a3ee87"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?