[Snyk] Upgrade ws from 7.4.6 to 7.5.3 #322

snyk-bot · 2021-08-03T02:55:04Z

Snyk has created this PR to upgrade ws from 7.4.6 to 7.5.3.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

The recommended version is 4 versions ahead of your current version.
The recommended version was released 24 days ago, on 2021-07-10.

Release notes

Package name: ws

7.5.3 - 2021-07-10
Bug fixes
- The WebSocketServer constructor now throws an error if more than one of the
  noServer, server, and port options are specefied (66e58d2).
- Fixed a bug where a 'close' event was emitted by a WebSocketServer before
  the internal HTTP/S server was actually closed (5a58730).
- Fixed a bug that allowed WebSocket connections to be established after
  WebSocketServer.prototype.close() was called (772236a).
7.5.2 - 2021-07-04
Bug fixes
- The opening handshake is now aborted if the client receives a
  Sec-WebSocket-Extensions header but no extension was requested or if the
  server indicates an extension not requested by the client (aca94c8).
7.5.1 - 2021-06-29
Bug fixes
- Fixed an issue that prevented the connection from being closed properly if an
  error occurred simultaneously on both peers (b434b9f).
7.5.0 - 2021-06-16
Features
- Some errors now have a code property describing the specific type of error
  that has occurred (#1901).
Bug fixes
- A close frame is now sent to the remote peer if an error (such as a data
  framing error) occurs (8806aa9).
- The close code is now always 1006 if no close frame is received, even if the
  connection is closed due to an error (8806aa9).
7.4.6 - 2021-05-25
Bug fixes
- Fixed a ReDoS vulnerability (00c425e).
A specially crafted value of the Sec-Websocket-Protocol header could be used
to significantly slow down a ws server.

for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
const value = 'b' + ' '.repeat(length) + 'x';
const start = process.hrtime.bigint();

value.trim().split(/ , /);

const end = process.hrtime.bigint();

console.log('length = %d, time = %f ns', length, end - start);
}

The vulnerability was responsibly disclosed along with a fix in private by
Robert McLaughlin from University of California, Santa Barbara.

In vulnerable versions of ws, the issue can be mitigated by reducing the maximum
allowed length of the request headers using the --max-http-header-size=size
and/or the maxHeaderSize options.

from ws GitHub release notes

Commit messages

Package name: ws

4c1849a [dist] 7.5.3
772236a [fix] Abort the handshake if the server is closing or closed
5a58730 [fix] Emit the `'close'` event after the server is closed
ea63b29 [minor] Fix typo
66e58d2 [fix] Make the `{noS,s}erver`, and `port` options mutually exclusive
ecb9d9e [minor] Improve JSDoc-inferred types (#1912)
0ad1f9d [dist] 7.5.2
aca94c8 [fix] Abort the handshake if an unexpected extension is received
38c6c73 [dist] 7.5.1
2916006 [test] Add more tests for `WebSocket.prototype.close()`
b434b9f [fix] Fix close edge cases
c3fdc99 [minor] Fix misleading comment
145480a [test] Fix repeated typo
e3f0c17 [dist] 7.5.0
1d3f4cb [doc] Fix anchor tags for error codes
6eea0d4 [doc] Fix typo
bb5d44b [doc] Sort error codes alphabetically
c6e3080 [minor] Attach error codes to all receiver errors (#1901)
074e6a8 [fix] Don't call `ws.terminate()` unconditionally in `duplex._destroy()`
8806aa9 [fix] Close the connection cleanly when an error occurs
05b8ccd [doc] Fix broken link (#1897)
03a7078 [doc] Remove unsafe regex from code snippet
7ee3115 [doc] Add logo to coverage badge
edff6bb [test] Fix nit