Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore(deps): update dependency ws to v8 (#99)
This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | |---|---|---|---|---| | [ws](https://redirect.github.com/websockets/ws) | overrides | major | [`7.5.10` -> `8.18.0`](https://renovatebot.com/diffs/npm/ws/7.5.10/8.18.0) | [](https://securityscorecards.dev/viewer/?uri=github.com/websockets/ws) | --- ### Release Notes <details> <summary>websockets/ws (ws)</summary> ### [`v8.18.0`](https://redirect.github.com/websockets/ws/releases/tag/8.18.0) [Compare Source](https://redirect.github.com/websockets/ws/compare/8.17.1...8.18.0) ### Features - Added support for `Blob` ([#​2229](https://redirect.github.com/websockets/ws/issues/2229)). ### [`v8.17.1`](https://redirect.github.com/websockets/ws/releases/tag/8.17.1) [Compare Source](https://redirect.github.com/websockets/ws/compare/8.17.0...8.17.1) ### Bug fixes - Fixed a DoS vulnerability ([#​2231](https://redirect.github.com/websockets/ws/issues/2231)). A request with a number of headers exceeding the[`server.maxHeadersCount`][server.maxHeadersCount] threshold could be used to crash a ws server. ```js const http = require('http'); const WebSocket = require('ws'); const wss = new WebSocket.Server({ port: 0 }, function () { const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split(''); const headers = {}; let count = 0; for (let i = 0; i < chars.length; i++) { if (count === 2000) break; for (let j = 0; j < chars.length; j++) { const key = chars[i] + chars[j]; headers[key] = 'x'; if (++count === 2000) break; } } headers.Connection = 'Upgrade'; headers.Upgrade = 'websocket'; headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ=='; headers['Sec-WebSocket-Version'] = '13'; const request = http.request({ headers: headers, host: '127.0.0.1', port: wss.address().port }); request.end(); }); ``` The vulnerability was reported by [Ryan LaPointe](https://redirect.github.com/rrlapointe) in [https://github.com/websockets/ws/issues/2230](https://redirect.github.com/websockets/ws/issues/2230). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the [`--max-http-header-size=size`][--max-http-header-size=size] and/or the [`maxHeaderSize`][maxHeaderSize] options so that no more headers than the `server.maxHeadersCount` limit can be sent. 2. Set `server.maxHeadersCount` to `0` so that no limit is applied. [`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize [`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener [`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount ### [`v8.17.0`](https://redirect.github.com/websockets/ws/releases/tag/8.17.0) [Compare Source](https://redirect.github.com/websockets/ws/compare/8.16.0...8.17.0) ### Features - The `WebSocket` constructor now accepts the `createConnection` option ([#​2219](https://redirect.github.com/websockets/ws/issues/2219)). ### Other notable changes - The default value of the `allowSynchronousEvents` option has been changed to `true` ([#​2221](https://redirect.github.com/websockets/ws/issues/2221)). This is a breaking change in a patch release. The assumption is that the option is not widely used. ### [`v8.16.0`](https://redirect.github.com/websockets/ws/releases/tag/8.16.0) [Compare Source](https://redirect.github.com/websockets/ws/compare/8.15.1...8.16.0) ### Features - Added the `autoPong` option ([`01ba54e`](https://redirect.github.com/websockets/ws/commit/01ba54ed)). ### [`v8.15.1`](https://redirect.github.com/websockets/ws/releases/tag/8.15.1) [Compare Source](https://redirect.github.com/websockets/ws/compare/8.15.0...8.15.1) ### Notable changes - The `allowMultipleEventsPerMicrotask` option has been renamed to `allowSynchronousEvents` ([`4ed7fe5`](https://redirect.github.com/websockets/ws/commit/4ed7fe58)). This is a breaking change in a patch release that could have been avoided with an alias, but the renamed option was added only 3 days ago, so hopefully it hasn't already been widely used. ### [`v8.15.0`](https://redirect.github.com/websockets/ws/releases/tag/8.15.0) [Compare Source](https://redirect.github.com/websockets/ws/compare/8.14.2...8.15.0) ### Features - Added the `allowMultipleEventsPerMicrotask` option ([`93e3552`](https://redirect.github.com/websockets/ws/commit/93e3552e)). ### [`v8.14.2`](https://redirect.github.com/websockets/ws/releases/tag/8.14.2) [Compare Source](https://redirect.github.com/websockets/ws/compare/8.14.1...8.14.2) ### Bug fixes - Fixed an issue that allowed errors thrown by failed assertions to be swallowed when running tests ([`7f4e1a7`](https://redirect.github.com/websockets/ws/commit/7f4e1a75)). ### [`v8.14.1`](https://redirect.github.com/websockets/ws/releases/tag/8.14.1) [Compare Source](https://redirect.github.com/websockets/ws/compare/8.14.0...8.14.1) ##### Bug fixes - Improved the reliability of two tests for [CITGM][] ([`fd3c64c`](https://redirect.github.com/websockets/ws/commit/fd3c64cb)). [CITGM]: https://redirect.github.com/nodejs/citgm ### [`v8.14.0`](https://redirect.github.com/websockets/ws/releases/tag/8.14.0) [Compare Source](https://redirect.github.com/websockets/ws/compare/8.13.0...8.14.0) ### Features - The `WebSocket` constructor now accepts HTTP(S) URLs ([#​2162](https://redirect.github.com/websockets/ws/issues/2162)). - The `socket` argument of `server.handleUpgrade()` can now be a generic `Duplex` stream ([#​2165](https://redirect.github.com/websockets/ws/issues/2165)). ### Other notable changes - At most one event per microtask is now emitted ([#​2160](https://redirect.github.com/websockets/ws/issues/2160)). ### [`v8.13.0`](https://redirect.github.com/websockets/ws/releases/tag/8.13.0) [Compare Source](https://redirect.github.com/websockets/ws/compare/8.12.1...8.13.0) ### Features - Added the `finishRequest` option to support late addition of headers ([#​2123](https://redirect.github.com/websockets/ws/issues/2123)). ### [`v8.12.1`](https://redirect.github.com/websockets/ws/releases/tag/8.12.1) [Compare Source](https://redirect.github.com/websockets/ws/compare/8.12.0...8.12.1) ### Bug fixes - Added `browser` condition to package.json ([#​2118](https://redirect.github.com/websockets/ws/issues/2118)). ### [`v8.12.0`](https://redirect.github.com/websockets/ws/releases/tag/8.12.0) [Compare Source](https://redirect.github.com/websockets/ws/compare/8.11.0...8.12.0) ### Features - Added support for `utf-8-validate@6` ([`ff63bba`](https://redirect.github.com/websockets/ws/commit/ff63bba3)). ### Other notable changes - [`buffer.isUtf8()`][buffer.isUtf8()] is now used instead of `utf-8-validate` if available ([`42d79f6`](https://redirect.github.com/websockets/ws/commit/42d79f60)). [`buffer.isutf8()`]: https://nodejs.org/api/buffer.html#bufferisutf8input ### [`v8.11.0`](https://redirect.github.com/websockets/ws/releases/tag/8.11.0) [Compare Source](https://redirect.github.com/websockets/ws/compare/8.10.0...8.11.0) ### Features - `WebSocket.prototype.addEventListener()` now supports an event listener specified as an object with a `handleEvent()` method. ([`9ab743a`](https://redirect.github.com/websockets/ws/commit/9ab743aa)). ### Bug fixes - `WebSocket.prototype.addEventListener()` now adds an event listener only if it is not already in the list of the event listeners for the specified event type ([`1cec17d`](https://redirect.github.com/websockets/ws/commit/1cec17da)). ### [`v8.10.0`](https://redirect.github.com/websockets/ws/releases/tag/8.10.0) [Compare Source](https://redirect.github.com/websockets/ws/compare/8.9.0...8.10.0) ### Features - Added an export for package.json ([`211d5d3`](https://redirect.github.com/websockets/ws/commit/211d5d38)). ### [`v8.9.0`](https://redirect.github.com/websockets/ws/releases/tag/8.9.0) [Compare Source](https://redirect.github.com/websockets/ws/compare/8.8.1...8.9.0) ### Features - Added the ability to connect to Windows named pipes ([#​2079](https://redirect.github.com/websockets/ws/issues/2079)). ### [`v8.8.1`](https://redirect.github.com/websockets/ws/releases/tag/8.8.1) [Compare Source](https://redirect.github.com/websockets/ws/compare/8.8.0...8.8.1) ### Bug fixes - The `Authorization` and `Cookie` headers are no longer sent if the original request for the opening handshake is sent to an IPC server and the client is redirected to another IPC server ([`bc8bd34`](https://redirect.github.com/websockets/ws/commit/bc8bd34e)). ### [`v8.8.0`](https://redirect.github.com/websockets/ws/releases/tag/8.8.0) [Compare Source](https://redirect.github.com/websockets/ws/compare/8.7.0...8.8.0) ### Features - Added the `WS_NO_BUFFER_UTIL` and `WS_NO_UTF_8_VALIDATE` environment variables ([`becf237`](https://redirect.github.com/websockets/ws/commit/becf237c)). ### [`v8.7.0`](https://redirect.github.com/websockets/ws/releases/tag/8.7.0) [Compare Source](https://redirect.github.com/websockets/ws/compare/8.6.0...8.7.0) ### Features - Added the ability to inspect the invalid handshake requests and respond to them with a custom HTTP response. ([`6e5a5ce`](https://redirect.github.com/websockets/ws/commit/6e5a5ce3)). ### Bug fixes - The handshake is now aborted if the `Upgrade` header field value in the HTTP response is not a case-insensitive match for the value "websocket" ([`0fdcc0a`](https://redirect.github.com/websockets/ws/commit/0fdcc0af)). - The `Authorization` and `Cookie` headers are no longer sent when following an insecure redirect (wss: to ws:) to the same host ([`d68ba9e`](https://redirect.github.com/websockets/ws/commit/d68ba9e1)). ### [`v8.6.0`](https://redirect.github.com/websockets/ws/releases/tag/8.6.0) [Compare Source](https://redirect.github.com/websockets/ws/compare/8.5.0...8.6.0) ### Features - Added the ability to remove confidential headers on a per-redirect basis ([#​2030](https://redirect.github.com/websockets/ws/issues/2030)). ### [`v8.5.0`](https://redirect.github.com/websockets/ws/releases/tag/8.5.0) [Compare Source](https://redirect.github.com/websockets/ws/compare/8.4.2...8.5.0) ### Features - Added the ability to use a custom `WebSocket` class on the server ([#​2007](https://redirect.github.com/websockets/ws/issues/2007)). ### Bug fixes - When following redirects, the `Authorization` and `Cookie` headers are no longer sent if the redirect host is different from the original host ([#​2013](https://redirect.github.com/websockets/ws/issues/2013)). ### [`v8.4.2`](https://redirect.github.com/websockets/ws/releases/tag/8.4.2) [Compare Source](https://redirect.github.com/websockets/ws/compare/8.4.1...8.4.2) ### Bug fixes - Fixed a data framing issue introduced in version 8.4.1 ([#​2004](https://redirect.github.com/websockets/ws/issues/2004)). ### [`v8.4.1`](https://redirect.github.com/websockets/ws/releases/tag/8.4.1) [Compare Source](https://redirect.github.com/websockets/ws/compare/8.4.0...8.4.1) ### Notable changes - To improve performance, strings sent via `websocket.ping()`, `websocket.pong()`, and `websocket.send()` are no longer converted to `Buffer`s if the data does not need to be masked ([#​2000](https://redirect.github.com/websockets/ws/issues/2000)). ### [`v8.4.0`](https://redirect.github.com/websockets/ws/releases/tag/8.4.0) [Compare Source](https://redirect.github.com/websockets/ws/compare/8.3.0...8.4.0) ### Features - Added ability to generate custom masking keys ([#​1990](https://redirect.github.com/websockets/ws/issues/1990)). ### [`v8.3.0`](https://redirect.github.com/websockets/ws/releases/tag/8.3.0) [Compare Source](https://redirect.github.com/websockets/ws/compare/8.2.3...8.3.0) ### Features - Added ability to pause and resume a `WebSocket` ([`0a8c7a9`](https://redirect.github.com/websockets/ws/commit/0a8c7a9c)). ### Bug fixes - Fixed a bug that could prevent the connection from being closed cleanly when using the stream API ([`ed2b803`](https://redirect.github.com/websockets/ws/commit/ed2b8039)). - When following redirects, an error is now emitted and not thrown if the redirect URL is invalid ([#​1980](https://redirect.github.com/websockets/ws/issues/1980)). ### [`v8.2.3`](https://redirect.github.com/websockets/ws/releases/tag/8.2.3) [Compare Source](https://redirect.github.com/websockets/ws/compare/8.2.2...8.2.3) ### Bug fixes - When context takeover is enabled, messages are now compressed even if their size is below the value of the `perMessageDeflate.threshold` option ([`41ae563`](https://redirect.github.com/websockets/ws/commit/41ae5631)). ### [`v8.2.2`](https://redirect.github.com/websockets/ws/releases/tag/8.2.2) [Compare Source](https://redirect.github.com/websockets/ws/compare/8.2.1...8.2.2) ### Bug fixes - Some closing operations are now run only if needed ([`ec9377c`](https://redirect.github.com/websockets/ws/commit/ec9377ca)). ### [`v8.2.1`](https://redirect.github.com/websockets/ws/releases/tag/8.2.1) [Compare Source](https://redirect.github.com/websockets/ws/compare/8.2.0...8.2.1) ### Bug fixes - Fixed an issue where the socket was not resumed, preventing the connection from being closed cleanly ([`869c989`](https://redirect.github.com/websockets/ws/commit/869c9892)). ### [`v8.2.0`](https://redirect.github.com/websockets/ws/releases/tag/8.2.0) [Compare Source](https://redirect.github.com/websockets/ws/compare/8.1.0...8.2.0) ### Features - Added `WebSocket.WebSocket` as an alias for `WebSocket` and `WebSocket.WebSocketServer` as an alias for `WebSocket.Server` to fix name consistency and improve interoperability with the ES module wrapper ([#​1935](https://redirect.github.com/websockets/ws/issues/1935)). ### [`v8.1.0`](https://redirect.github.com/websockets/ws/releases/tag/8.1.0) [Compare Source](https://redirect.github.com/websockets/ws/compare/8.0.0...8.1.0) ### Features - Added ability to skip UTF-8 validation ([#​1928](https://redirect.github.com/websockets/ws/issues/1928)). ### Bug fixes - Fixed an issue with a breaking change in Node.js master ([`6a72da3`](https://redirect.github.com/websockets/ws/commit/6a72da3e)). - Fixed a misleading error message ([`c95e695`](https://redirect.github.com/websockets/ws/commit/c95e695d)). ### [`v8.0.0`](https://redirect.github.com/websockets/ws/releases/tag/8.0.0) [Compare Source](https://redirect.github.com/websockets/ws/compare/7.5.10...8.0.0) ### Breaking changes - The `WebSocket` constructor now throws a `SyntaxError` if any of the subprotocol names are invalid or duplicated ([`0aecf0c`](https://redirect.github.com/websockets/ws/commit/0aecf0c9)). - The server now aborts the opening handshake if an invalid `Sec-WebSocket-Protocol` header field value is received ([`1877dde`](https://redirect.github.com/websockets/ws/commit/1877ddeb)). - The `protocols` argument of `handleProtocols` hook is no longer an `Array` but a `Set` ([`1877dde`](https://redirect.github.com/websockets/ws/commit/1877ddeb)). - The opening handshake is now aborted if the `Sec-WebSocket-Extensions` header field value is empty or it begins or ends with a white space ([`e814110`](https://redirect.github.com/websockets/ws/commit/e814110e)). - Dropped support for Node.js < 10.0.0 ([`552b506`](https://redirect.github.com/websockets/ws/commit/552b5067)). - The `WebSocket` constructor now throws a `SyntaxError` if the connection URL contains a fragment identifier or if the URL's protocol is not one of `'ws:'`, `'wss:'`, or `'ws+unix:'` ([`ebea038`](https://redirect.github.com/websockets/ws/commit/ebea038f)). - Text messages and close reasons are no longer decoded to strings. They are passed as `Buffer`s to the listeners of their respective events. The listeners of the `'message'` event now take a boolean argument specifying whether or not the message is binary ([`e173423`](https://redirect.github.com/websockets/ws/commit/e173423c)). Existing code can be migrated by decoding the buffer explicitly. ```js websocket.on('message', function message(data, isBinary) { const message = isBinary ? data : data.toString(); // Continue as before. }); websocket.on('close', function close(code, data) { const reason = data.toString(); // Continue as before. }); ``` - The package now uses an ES module wrapper ([`78adf5f`](https://redirect.github.com/websockets/ws/commit/78adf5f7)). - `WebSocketServer.prototype.close()` no longer closes existing connections ([`df7de57`](https://redirect.github.com/websockets/ws/commit/df7de574)). Existing code can be migrated by closing the connections manually. ```js websocketServer.close(); for (const ws of websocketServer.clients) { ws.terminate(); } ``` - The callback of `WebSocketServer.prototype.close()` is now called with an error if the server is already closed ([`abde9cf`](https://redirect.github.com/websockets/ws/commit/abde9cfc)). - `WebSocket.prototype.addEventListener()` is now a noop if the `type` argument is not one of `'close'`, `'error'`, `'message'`, or `'open'` ([`9558ed1`](https://redirect.github.com/websockets/ws/commit/9558ed1c)). - `WebSocket.prototype.removeEventListener()` now only removes listeners added with `WebSocket.prototype.addEventListener()` and only one at time ([`ea95d9c`](https://redirect.github.com/websockets/ws/commit/ea95d9c4)). - The value of the `onclose`, `onerror`, `onmessage`, and `onopen` properties is now `null` if the respective event handler is not set ([`6756cf5`](https://redirect.github.com/websockets/ws/commit/6756cf58)). - The `OpenEvent` class has been removed ([`21e6500`](https://redirect.github.com/websockets/ws/commit/21e65004)). ### Bug fixes - The event listeners added via handler properties are now independent from the event listeners added with `WebSocket.prototype.addEventListener()` ([`0b21c03`](https://redirect.github.com/websockets/ws/commit/0b21c03a)). </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/settlemint/solidity-diamond-bond). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xMDcuMCIsInVwZGF0ZWRJblZlciI6IjM5LjEwNy4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
- Loading branch information
1 parent
06177f1
commit ebb91d8