react-mapbox-wrapper
react-mapbox-wrapper copied to clipboard
MeilleursAgents
chore(deps): [security] bump ws from 7.3.1 to 7.5.3
Bumps ws from 7.3.1 to 7.5.3. This update includes security fixes.
Vulnerabilities fixed
Sourced from The GitHub Security Advisory Database.
ReDoS in Sec-Websocket-Protocol header
Impact
A specially crafted value of the
Sec-Websocket-Protocolheader can be used to significantly slow down a ws server.Proof of concept
for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) { const value = 'b' + ' '.repeat(length) + 'x'; const start = process.hrtime.bigint();value.trim().split(/ *, */);
const end = process.hrtime.bigint();
console.log('length = %d, time = %f ns', length, end - start); }
Patches
... (truncated)
Affected versions: >= 7.0.0 < 7.4.6
Sourced from The GitHub Security Advisory Database.
ReDoS in Sec-Websocket-Protocol header
Impact
A specially crafted value of the
Sec-Websocket-Protocolheader can be used to significantly slow down a ws server.Proof of concept
for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) { const value = 'b' + ' '.repeat(length) + 'x'; const start = process.hrtime.bigint();value.trim().split(/ *, */);
const end = process.hrtime.bigint();
console.log('length = %d, time = %f ns', length, end - start); }
Patches
... (truncated)
Affected versions: >= 5.0.0 < 7.4.5
Sourced from The GitHub Security Advisory Database.
ReDoS in Sec-Websocket-Protocol header
Impact
A specially crafted value of the
Sec-Websocket-Protocolheader can be used to significantly slow down a ws server.Proof of concept
for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) { const value = 'b' + ' '.repeat(length) + 'x'; const start = process.hrtime.bigint();value.trim().split(/ *, */);
const end = process.hrtime.bigint();
console.log('length = %d, time = %f ns', length, end - start); }
Patches
... (truncated)
Affected versions: >= 5.0.0 < 7.4.6
Release notes
Sourced from ws's releases.
7.5.3
Bug fixes
- The
WebSocketServerconstructor now throws an error if more than one of thenoServer,server, andportoptions are specefied (66e58d27).- Fixed a bug where a
'close'event was emitted by aWebSocketServerbefore the internal HTTP/S server was actually closed (5a587304).- Fixed a bug that allowed WebSocket connections to be established after
WebSocketServer.prototype.close()was called (772236a1).7.5.2
Bug fixes
- The opening handshake is now aborted if the client receives a
Sec-WebSocket-Extensionsheader but no extension was requested or if the server indicates an extension not requested by the client (aca94c86).7.5.1
Bug fixes
- Fixed an issue that prevented the connection from being closed properly if an error occurred simultaneously on both peers (b434b9f1).
7.5.0
Features
- Some errors now have a
codeproperty describing the specific type of error that has occurred (#1901).Bug fixes
- A close frame is now sent to the remote peer if an error (such as a data framing error) occurs (8806aa9a).
- The close code is now always 1006 if no close frame is received, even if the connection is closed due to an error (8806aa9a).
7.4.6
Bug fixes
- Fixed a ReDoS vulnerability (00c425ec).
A specially crafted value of the
Sec-Websocket-Protocolheader could be used to significantly slow down a ws server.for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) { const value = 'b' + ' '.repeat(length) + 'x'; const start = process.hrtime.bigint();value.trim().split(/ *, */); </tr></table>
... (truncated)
Commits
4c1849a[dist] 7.5.3772236a[fix] Abort the handshake if the server is closing or closed5a58730[fix] Emit the'close'event after the server is closedea63b29[minor] Fix typo66e58d2[fix] Make the{noS,s}erver, andportoptions mutually exclusiveecb9d9e[minor] Improve JSDoc-inferred types (#1912)0ad1f9d[dist] 7.5.2aca94c8[fix] Abort the handshake if an unexpected extension is received38c6c73[dist] 7.5.12916006[test] Add more tests forWebSocket.prototype.close()- Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
If all status checks pass Dependabot will automatically merge this pull request during working hours.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)@dependabot badge mewill comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in the .dependabot/config.yml file in this repo:
- Update frequency
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
![dependabot-preview[bot] avatar](https://avatars.githubusercontent.com/in/2141?v=4 "Published by a pub.dev verified publisher"){kind=small}
One of your CI runs failed on this pull request, so Dependabot won't merge it.
Dependabot will still automatically merge this pull request if you amend it and your tests pass.