rxjs-debugging-for-vscode
rxjs-debugging-for-vscode copied to clipboard
Published
20 hours ago •
swissmanu
swissmanu
Update dependency ws to v8.18.0
trafficstars
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| ws | 8.3.0 -> 8.18.0 |
||||
| @types/ws (source) | 8.2.1 -> 8.5.12 |
Release Notes
websockets/ws (ws)
v8.18.0
Features
- Added support for
Blob(#2229).
v8.17.1
Bug fixes
- Fixed a DoS vulnerability (#2231).
A request with a number of headers exceeding the[server.maxHeadersCount][server.maxHeadersCount]
threshold could be used to crash a ws server.
const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j < chars.length; j++) {
const key = chars[i] + chars[j];
headers[key] = 'x';
if (++count === 2000) break;
}
}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});
The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.
In vulnerable versions of ws, the issue can be mitigated in the following ways:
- Reduce the maximum allowed length of the request headers using the
[
--max-http-header-size=size][--max-http-header-size=size] and/or the [maxHeaderSize][maxHeaderSize] options so that no more headers than theserver.maxHeadersCountlimit can be sent. - Set
server.maxHeadersCountto0so that no limit is applied.
v8.17.0
Features
- The
WebSocketconstructor now accepts thecreateConnectionoption (#2219).
Other notable changes
- The default value of the
allowSynchronousEventsoption has been changed totrue(#2221).
This is a breaking change in a patch release. The assumption is that the option is not widely used.
v8.16.0
Features
- Added the
autoPongoption (01ba54e).
v8.15.1
Notable changes
- The
allowMultipleEventsPerMicrotaskoption has been renamed toallowSynchronousEvents(4ed7fe5).
This is a breaking change in a patch release that could have been avoided with an alias, but the renamed option was added only 3 days ago, so hopefully it hasn't already been widely used.
v8.15.0
Features
- Added the
allowMultipleEventsPerMicrotaskoption (93e3552).
v8.14.2
Bug fixes
- Fixed an issue that allowed errors thrown by failed assertions to be
swallowed when running tests (
7f4e1a7).
v8.14.1
Bug fixes
v8.14.0
Features
- The
WebSocketconstructor now accepts HTTP(S) URLs (#2162). - The
socketargument ofserver.handleUpgrade()can now be a genericDuplexstream (#2165).
Other notable changes
- At most one event per microtask is now emitted (#2160).
v8.13.0
Features
- Added the
finishRequestoption to support late addition of headers (#2123).
v8.12.1
Bug fixes
- Added
browsercondition to package.json (#2118).
v8.12.0
Features
- Added support for
utf-8-validate@6(ff63bba).
Other notable changes
- [
buffer.isUtf8()][buffer.isUtf8()] is now used instead ofutf-8-validateif available (42d79f6).
v8.11.0
Features
WebSocket.prototype.addEventListener()now supports an event listener specified as an object with ahandleEvent()method. (9ab743a).
Bug fixes
WebSocket.prototype.addEventListener()now adds an event listener only if it is not already in the list of the event listeners for the specified event type (1cec17d).
v8.10.0
Features
- Added an export for package.json (
211d5d3).
v8.9.0
Features
- Added the ability to connect to Windows named pipes (#2079).
v8.8.1
Bug fixes
- The
AuthorizationandCookieheaders are no longer sent if the original request for the opening handshake is sent to an IPC server and the client is redirected to another IPC server (bc8bd34).
v8.8.0
Features
- Added the
WS_NO_BUFFER_UTILandWS_NO_UTF_8_VALIDATEenvironment variables (becf237).
v8.7.0
Features
- Added the ability to inspect the invalid handshake requests and respond to
them with a custom HTTP response. (
6e5a5ce).
Bug fixes
- The handshake is now aborted if the
Upgradeheader field value in the HTTP response is not a case-insensitive match for the value "websocket" (0fdcc0a). - The
AuthorizationandCookieheaders are no longer sent when following an insecure redirect (wss: to ws:) to the same host (d68ba9e).
v8.6.0
Features
- Added the ability to remove confidential headers on a per-redirect basis (#2030).
v8.5.0
Features
- Added the ability to use a custom
WebSocketclass on the server (#2007).
Bug fixes
- When following redirects, the
AuthorizationandCookieheaders are no longer sent if the redirect host is different from the original host (#2013).
v8.4.2
Bug fixes
- Fixed a data framing issue introduced in version 8.4.1 (#2004).
v8.4.1
Notable changes
- To improve performance, strings sent via
websocket.ping(),websocket.pong(), andwebsocket.send()are no longer converted toBuffers if the data does not need to be masked (#2000).
v8.4.0
Features
- Added ability to generate custom masking keys (#1990).
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}