Skip to content
This repository has been archived by the owner on Sep 27, 2021. It is now read-only.

[Snyk] Upgrade ws from 7.4.0 to 8.2.1 #208

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from

Conversation

snyk-bot
Copy link
Contributor

Snyk has created this PR to upgrade ws from 7.4.0 to 8.2.1.

merge advice
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.


Warning: This is a major version upgrade, and may be a breaking change.

  • The recommended version is 16 versions ahead of your current version.
  • The recommended version was released 21 days ago, on 2021-08-28.

The recommended version fixes:

Severity Issue PriorityScore (*) Exploit Maturity
Regular Expression Denial of Service (ReDoS)
SNYK-JS-WS-1296835
586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes
Package name: ws
  • 8.2.1 - 2021-08-28

    Bug fixes

    • Fixed an issue where the socket was not resumed, preventing the connection
      from being closed cleanly (869c989).
  • 8.2.0 - 2021-08-18

    Features

    • Added WebSocket.WebSocket as an alias for WebSocket and
      WebSocket.WebSocketServer as an alias for WebSocket.Server to fix name
      consistency and improve interoperability with the ES module wrapper (#1935).
  • 8.1.0 - 2021-08-11

    Features

    • Added ability to skip UTF-8 validation (#1928).

    Bug fixes

    • Fixed an issue with a breaking change in Node.js master (6a72da3).
    • Fixed a misleading error message (c95e695).
  • 8.0.0 - 2021-07-28

    Breaking changes

    • The WebSocket constructor now throws a SyntaxError if any of the
      subprotocol names are invalid or duplicated (0aecf0c).

    • The server now aborts the opening handshake if an invalid
      Sec-WebSocket-Protocol header field value is received (1877dde).

    • The protocols argument of handleProtocols hook is no longer an Array but
      a Set (1877dde).

    • The opening handshake is now aborted if the Sec-WebSocket-Extensions header
      field value is empty or it begins or ends with a white space (e814110).

    • Dropped support for Node.js < 10.0.0 (552b506).

    • The WebSocket constructor now throws a SyntaxError if the connection URL
      contains a fragment identifier or if the URL's protocol is not one of 'ws:',
      'wss:', or 'ws+unix:' (ebea038).

    • Text messages and close reasons are no longer decoded to strings. They are
      passed as Buffers to the listeners of their respective events. The listeners
      of the 'message' event now take a boolean argument specifying whether or not
      the message is binary (e173423).

      Existing code can be migrated by decoding the buffer explicitly.

      websocket.on('message', function message(data, isBinary) {
      const message = isBinary ? data : data.toString();
      // Continue as before.
      });

      websocket.on('close', function close(code, data) {
      const reason = data.toString();
      // Continue as before.
      });

    • The package now uses an ES module wrapper (78adf5f).

    • WebSocketServer.prototype.close() no longer closes existing connections
      (df7de57).

      Existing code can be migrated by closing the connections manually.

      websocketServer.close();
      for (const ws of websocketServer.clients) {
        ws.terminate();
      }
    • The callback of WebSocketServer.prototype.close() is now called with an
      error if the server is already closed (abde9cf).

    • WebSocket.prototype.addEventListener() is now a noop if the type argument
      is not one of 'close', 'error', 'message', or 'open' (9558ed1).

    • WebSocket.prototype.removeEventListener() now only removes listeners added
      with WebSocket.prototype.addEventListener() and only one at time (ea95d9c).

    • The value of the onclose, onerror, onmessage, and onopen properties is
      now null if the respective event handler is not set (6756cf5).

    • The OpenEvent class has been removed (21e6500).

    Bug fixes

    • The event listeners added via handler properties are now independent from the
      event listeners added with WebSocket.prototype.addEventListener()
      (0b21c03).
  • 7.5.5 - 2021-09-08

    Bug fixes

  • 7.5.4 - 2021-08-28

    Bug fixes

  • 7.5.3 - 2021-07-10

    Bug fixes

    • The WebSocketServer constructor now throws an error if more than one of the
      noServer, server, and port options are specefied (66e58d2).
    • Fixed a bug where a 'close' event was emitted by a WebSocketServer before
      the internal HTTP/S server was actually closed (5a58730).
    • Fixed a bug that allowed WebSocket connections to be established after
      WebSocketServer.prototype.close() was called (772236a).
  • 7.5.2 - 2021-07-04

    Bug fixes

    • The opening handshake is now aborted if the client receives a
      Sec-WebSocket-Extensions header but no extension was requested or if the
      server indicates an extension not requested by the client (aca94c8).
  • 7.5.1 - 2021-06-29

    Bug fixes

    • Fixed an issue that prevented the connection from being closed properly if an
      error occurred simultaneously on both peers (b434b9f).
  • 7.5.0 - 2021-06-16
  • 7.4.6 - 2021-05-25
  • 7.4.5 - 2021-04-18
  • 7.4.4 - 2021-03-06
  • 7.4.3 - 2021-02-02
  • 7.4.2 - 2020-12-29
  • 7.4.1 - 2020-12-04
  • 7.4.0 - 2020-11-08
from ws GitHub release notes
Commit messages
Package name: ws
  • cc7a779 [dist] 8.2.1
  • 869c989 [fix] Resume the socket in the next tick
  • ea6c054 [test] Reorganize some tests
  • 7647a89 [dist] 8.2.0
  • d5e3549 [minor] Add `WebSocket.WebSocket{,Server}` aliases (#1935)
  • c677aab [doc] Fix `createWebSocketStream()` documentation
  • f38247e [doc] Sort options alphabetically
  • 142f091 [dist] 8.1.0
  • d21c810 [feature] Add ability to skip UTF-8 validation (#1928)
  • 9bd3bd1 [minor] Fix typo (#1929)
  • 1e938f1 [major] Use an options object instead of positional arguments
  • 7f0b5c4 [example] Update uuid to version 8.3.2
  • fd47c96 [test] Move code block closer to where it is used
  • c95e695 [fix] Fix misleading error message
  • 6a72da3 [fix] Do not rely on undocumented behavior
  • 04e74a1 [license] Fix license text
  • fc40248 [dist] 8.0.0
  • 21e6500 [major] Overhaul event classes
  • bd7febb [minor] Fix nits
  • 6756cf5 [fix] Return `null` if the event handler is not set
  • 8c61563 [fix] Make listeners added via event handler properties independent
  • ea95d9c [major] Ignore listeners not added with `WebSocket#addEventListener()`
  • 9558ed1 [major] Make `WebSocket#addEventListener()` ignore non standard events
  • 77a675c [minor] Remove unneeded setters

Compare


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant