Update dependency ws to v8.17.1 [SECURITY] #452
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
8.14.2
->8.17.1
GitHub Vulnerability Alerts
CVE-2024-37890
Impact
A request with a number of headers exceeding the
server.maxHeadersCount
threshold could be used to crash a ws server.Proof of concept
Patches
The vulnerability was fixed in [email protected] (websockets/ws@e55e510) and backported to [email protected] (websockets/ws@22c2876), [email protected] (websockets/ws@eeb76d3), and [email protected] (websockets/ws@4abd8f6)
Workarounds
In vulnerable versions of ws, the issue can be mitigated in the following ways:
--max-http-header-size=size
and/or themaxHeaderSize
options so that no more headers than theserver.maxHeadersCount
limit can be sent.server.maxHeadersCount
to0
so that no limit is applied.Credits
The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.
References
Release Notes
websockets/ws (ws)
v8.17.1
Compare Source
Bug fixes
A request with a number of headers exceeding the[
server.maxHeadersCount
][server.maxHeadersCount]threshold could be used to crash a ws server.
The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.
In vulnerable versions of ws, the issue can be mitigated in the following ways:
[
--max-http-header-size=size
][--max-http-header-size=size] and/or the [maxHeaderSize
][maxHeaderSize] options sothat no more headers than the
server.maxHeadersCount
limit can be sent.server.maxHeadersCount
to0
so that no limit is applied.v8.17.0
Compare Source
Features
WebSocket
constructor now accepts thecreateConnection
option (#2219).Other notable changes
allowSynchronousEvents
option has been changed totrue
(#2221).This is a breaking change in a patch release. The assumption is that the option
is not widely used.
v8.16.0
Compare Source
Features
autoPong
option (01ba54e
).v8.15.1
Compare Source
Notable changes
allowMultipleEventsPerMicrotask
option has been renamed toallowSynchronousEvents
(4ed7fe5
).This is a breaking change in a patch release that could have been avoided with
an alias, but the renamed option was added only 3 days ago, so hopefully it
hasn't already been widely used.
v8.15.0
Compare Source
Features
allowMultipleEventsPerMicrotask
option (93e3552
).Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.