refactor: upgrade ws from 8.6.0 to 8.8.1

[snyk-bot]

Snyk has created this PR to upgrade ws from 8.6.0 to 8.8.1.

:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 3 versions ahead of your current version.
• The recommended version was released 24 days ago, on 2022-07-15.

Release notes

Package name: ws

• 8.8.1 - 2022-07-15

  Bug fixes

  • The Authorization and Cookie headers are no longer sent if the original
    request for the opening handshake is sent to an IPC server and the client is
    redirected to another IPC server (bc8bd34).
• 8.8.0 - 2022-06-09

  Features

  • Added the WS_NO_BUFFER_UTIL and WS_NO_UTF_8_VALIDATE environment
    variables (becf237).
• 8.7.0 - 2022-05-26

  Features

  • Added the ability to inspect the invalid handshake requests and respond to
    them with a custom HTTP response. (6e5a5ce).

  Bug fixes

  • The handshake is now aborted if the Upgrade header field value in the HTTP
    response is not a case-insensitive match for the value "websocket" (0fdcc0a).
  • The Authorization and Cookie headers are no longer sent when following an
    insecure redirect (wss: to ws:) to the same host (d68ba9e).
• 8.6.0 - 2022-05-01

  Features

  • Added the ability to remove confidential headers on a per-redirect basis (#2030).

from ws GitHub release notes

Commit messages

Package name: ws

• 9753821 [dist] 8.8.1
• bc8bd34 [security] Fix same host check for ws+unix: redirects
• 0ae302a [test] Fix nits
• 1117af6 [doc] Fix typo (#2062)
• 3b6af82 [minor] Prevent opening handshake headers from being overridden
• 982b782 [dist] 8.8.0
• becf237 [feature] Add the `WS_NO_{BUFFER_UTIL, UTF_8_VALIDATE}` variables
• 0792742 [doc] Fix nit
• c1a126f [doc] Rename WS Error Codes section to Error codes
• a6dbd1c [ci] Set permissions explicitly (#2051)
• 5e4149e [test] Fix typo
• 4b62fbf [dist] 8.7.0
• 6e5a5ce [feature] Introduce the `'wsClientError'` event (#2046)
• 903ec62 [doc] Update the type of the `socket` argument
• d68ba9e [security] Drop sensitive headers when following insecure redirects
• a690791 [ci] Exclude node 18 on Windows x86 from the test matrix
• 8889e48 [test] Increase code coverage
• fb658bd [minor] Use consistent error messages
• 0fdcc0a [fix] Abort the handshake if the Upgrade header is invalid
• e56cdfe [minor] Clarify why the handshake is aborted

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[parse-github-assistant[bot]]

I will reformat the title to use the proper commit message syntax.

[dplewis]

@mtrezza Is dependabot working? I only see it working for parse-server bumps. We could avoid another 3.5.0 issue like https://github.com/parse-community/Parse-SDK-JS/pull/1600 in the future. I think this should be closed at we aren't using Snyx-bot

[mtrezza]

We are using both dependabot and snyk in our repos. Some security PRs are only opened by one or the other, some by both. Hence we have both enabled. We have this repo config, with non-security version upgrades disabled because Snyk is already doing that.

Some time ago we've added a dependabot config file and it seem that we've allowed it to upgrade only parse-server.

The reason for the config file is described in https://github.com/parse-community/Parse-SDK-JS/pull/1546. I've opened https://github.com/parse-community/Parse-SDK-JS/issues/1671 to figure out how to upgrade parse server with every commit while allowing upgrades for all other repos.

[mtrezza]

Closing, the conflict is too complex to resolve manually.