Title: Bump ws, socket.io-client and socket.io by dependabot[bot] · Pull Request #172 · austinjavascript/austinjavascript.com · GitHub
Open Graph Title: Bump ws, socket.io-client and socket.io by dependabot[bot] · Pull Request #172 · austinjavascript/austinjavascript.com
X Title: Bump ws, socket.io-client and socket.io by dependabot[bot] · Pull Request #172 · austinjavascript/austinjavascript.com
Description: Bumps ws, socket.io-client and socket.io. These dependencies needed to be updated together.
Updates ws from 8.2.3 to 8.17.1
Release notes
Sourced from ws's releases.
8.17.1
Bug fixes
Fixed a DoS vulnerability (#2231).
A request with a number of headers exceeding the[server.maxHeadersCount][]
threshold could be used to crash a ws server.
const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j < chars.length; j++) {
const key = chars[i] + chars[j];
headers[key] = 'x';
if (++count === 2000) break;
}
}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});
The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.
In vulnerable versions of ws, the issue can be mitigated in the following ways:
Reduce the maximum allowed length of the request headers using the
[--max-http-header-size=size][] and/or the [maxHeaderSize][] options so
that no more headers than the server.maxHeadersCount limit can be sent.
... (truncated)
Commits
3c56601 [dist] 8.17.1
e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
6a00029 [test] Increase code coverage
ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
b73b118 [dist] 8.17.0
29694a5 [test] Use the highWaterMark variable
934c9d6 [ci] Test on node 22
1817bac [ci] Do not test on node 21
96c9b3d [major] Flip the default value of allowSynchronousEvents (#2221)
e5f32c7 [fix] Emit at most one event per event loop iteration (#2218)
Additional commits viewable in compare view
Updates socket.io-client from 4.5.3 to 4.7.5
Release notes
Sourced from socket.io-client's releases.
4.7.5
Bug Fixes
discard acknowledgements upon disconnection (34cbfbb)
Links
Diff: socketio/socket.io-client@4.7.4...4.7.5
Server release: 4.7.5
engine.io-client@~6.5.2 (no change)
ws@~8.11.0 (no change)
4.7.4
There were some minor bug fixes on the server side, which mandate a client bump.
Links
Diff: socketio/socket.io-client@4.7.3...4.7.4
Server release: 4.7.4
engine.io-client@~6.5.2 (no change)
ws@~8.11.0 (no change)
4.7.3
Bug Fixes
improve compatibility with node16 module resolution (#1595) (605de78)
typings: accept string | undefined as init argument (5a3eafe)
typings: fix the type of the socket#id attribute (f9c16f2)
Links
Diff: socketio/socket.io-client@4.7.2...4.7.3
Server release: 4.7.3
engine.io-client@~6.5.2 (no change)
ws@~8.11.0 (no change)
4.7.2
Some bug fixes are included from the engine.io-client package:
webtransport: add proper framing (d55c39e)
webtransport: honor the binaryType attribute (8270e00)
Links
Diff: socketio/socket.io-client@4.7.1...4.7.2
Server release: 4.7.2
engine.io-client@~6.5.2 (diff)
ws@~8.11.0 (no change)
4.7.1
... (truncated)
Changelog
Sourced from socket.io-client's changelog.
4.7.5 (2024-03-14)
Bug Fixes
discard acknowledgements upon disconnection (34cbfbb)
Dependencies
engine.io-client@~6.5.2 (no change)
ws@~8.11.0 (no change)
4.7.4 (2024-01-12)
There were some minor bug fixes on the server side, which mandate a client bump.
Dependencies
engine.io-client@~6.5.2 (no change)
ws@~8.11.0 (no change)
4.7.3 (2024-01-03)
Bug Fixes
improve compatibility with node16 module resolution (#1595) (605de78)
typings: accept string | undefined as init argument (5a3eafe)
typings: fix the type of the socket#id attribute (f9c16f2)
Dependencies
engine.io-client@~6.5.2 (no change)
ws@~8.11.0 (no change)
4.7.2 (2023-08-02)
Some bug fixes are included from the engine.io-client package:
webtransport: add proper framing (d55c39e)
webtransport: honor the binaryType attribute (8270e00)
... (truncated)
Commits
4f6030f chore(release): 4.7.5
34cbfbb fix: discard acknowledgements upon disconnection
8cfea8c chore(release): 4.7.4
ca5d50e chore(release): 4.7.3
f9c16f2 fix(typings): fix the type of the socket#id attribute
b3f0cab ci: add Node.js 20 in the test matrix
5a3eafe fix(typings): accept string | undefined as init argument
605de78 fix: improve compatibility with node16 module resolution (#1595)
d00ccd2 ci: bump appiumVersion for Android tests in SauceLabs
928d76d chore(release): 4.7.2
Additional commits viewable in compare view
Updates socket.io from 4.5.3 to 4.7.5
Release notes
Sourced from socket.io's releases.
4.7.5
Bug Fixes
close the adapters when the server is closed (bf64870)
remove duplicate pipeline when serving bundle (e426f3e)
Links
Diff: socketio/socket.io@4.7.4...4.7.5
Client release: 4.7.5
engine.io@~6.5.2 (no change)
ws@~8.11.0 (no change)
4.7.4
Bug Fixes
typings: calling io.emit with no arguments incorrectly errored (cb6d2e0), closes #4914
Links
Diff: socketio/socket.io@4.7.3...4.7.4
Client release: 4.7.4
engine.io@~6.5.2 (no change)
ws@~8.11.0 (no change)
4.7.3
Bug Fixes
return the first response when broadcasting to a single socket (#4878) (df8e70f)
typings: allow to bind to a non-secure Http2Server (#4853) (8c9ebc3)
Links
Diff: socketio/socket.io@4.7.2...4.7.3
Client release: 4.7.3
engine.io@~6.5.2 (no change)
ws@~8.11.0 (no change)
4.7.2
Bug Fixes
clean up child namespace when client is rejected in middleware (#4773) (0731c0d)
webtransport: properly handle WebTransport-only connections (3468a19)
webtransport: add proper framing (a306db0)
Links
... (truncated)
Changelog
Sourced from socket.io's changelog.
4.7.5 (2024-03-14)
Bug Fixes
close the adapters when the server is closed (bf64870)
remove duplicate pipeline when serving bundle (e426f3e)
Dependencies
engine.io@~6.5.2 (no change)
ws@~8.11.0 (no change)
4.7.4 (2024-01-12)
Bug Fixes
typings: calling io.emit with no arguments incorrectly errored (cb6d2e0), closes #4914
Dependencies
engine.io@~6.5.2 (no change)
ws@~8.11.0 (no change)
4.7.3 (2024-01-03)
Bug Fixes
return the first response when broadcasting to a single socket (#4878) (df8e70f)
typings: allow to bind to a non-secure Http2Server (#4853) (8c9ebc3)
Dependencies
engine.io@~6.5.2 (no change)
ws@~8.11.0 (no change)
4.7.2 (2023-08-02)
... (truncated)
Commits
5017681 chore(release): 4.7.5
bf64870 fix: close the adapters when the server is closed
748e18c ci: test with older TypeScript version
b9ce6a2 refactor: create specific adapter for parent namespaces (#4950)
54dabe5 ci: upgrade to actions/checkout@4 and actions/setup-node@4
e426f3e fix: remove duplicate pipeline when serving bundle
e36062c docs: update the webtransport example
0bbe8ae docs: only execute the passport middleware once
914a8bd docs: add example with JWT
d943c3e docs: update the Passport.js example
Additional commits viewable in compare view
You can trigger a rebase of this PR by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show
Open Graph Description: Bumps ws, socket.io-client and socket.io. These dependencies needed to be updated together. Updates ws from 8.2.3 to 8.17.1 Release notes Sourced from ws's releases. 8.17.1 Bug fixes Fixed a...
X Description: Bumps ws, socket.io-client and socket.io. These dependencies needed to be updated together. Updates ws from 8.2.3 to 8.17.1 Release notes Sourced from ws's releases. 8.17.1 Bug fixes Fix...
Opengraph URL: https://github.com/austinjavascript/austinjavascript.com/pull/172
X: @github
Domain: patch-diff.githubusercontent.com
| route-pattern | /:user_id/:repository/pull/:id/files(.:format) |
| route-controller | pull_requests |
| route-action | files |
| fetch-nonce | v2:d0b87a24-22aa-6d15-a0e6-3b6ec8afa805 |
| current-catalog-service-hash | ae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b |
| request-id | C22C:263D08:523728:6E4E0D:697BEA13 |
| html-safe-nonce | 8847d6528b6ff9cdaa1a0e26d396c87eb5cce802e95b0d2886b2385dde2f4883 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJDMjJDOjI2M0QwODo1MjM3Mjg6NkU0RTBEOjY5N0JFQTEzIiwidmlzaXRvcl9pZCI6IjQ1OTgzNTAwNDc5NTg3ODg2MjciLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | c86b6eb013609c3bbdfd7e8ecaa0fcdb6b7c8137dca4429c48b8e95107734764 |
| hovercard-subject-tag | pull_request:2038416129 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/austinjavascript/austinjavascript.com/pull/172/files |
| twitter:image | https://avatars.githubusercontent.com/in/29110?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/in/29110?s=400&v=4 |
| og:image:alt | Bumps ws, socket.io-client and socket.io. These dependencies needed to be updated together. Updates ws from 8.2.3 to 8.17.1 Release notes Sourced from ws's releases. 8.17.1 Bug fixes Fixed a... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | 11e496cbe5d2a0371113a9b3a27479478e7142b71385ee8295d2fc71e856f899 |
| turbo-cache-control | no-preview |
| diff-view | unified |
| go-import | github.com/austinjavascript/austinjavascript.com git https://github.com/austinjavascript/austinjavascript.com.git |
| octolytics-dimension-user_id | 12473794 |
| octolytics-dimension-user_login | austinjavascript |
| octolytics-dimension-repository_id | 35726990 |
| octolytics-dimension-repository_nwo | austinjavascript/austinjavascript.com |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 35726990 |
| octolytics-dimension-repository_network_root_nwo | austinjavascript/austinjavascript.com |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | true |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 0e8a25656ebf36ff0bc778937941513a5c7c58ee |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width