Skip to content
This repository has been archived by the owner on Sep 27, 2021. It is now read-only.

[Snyk] Upgrade ws from 7.4.0 to 8.0.0 #205

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

[Snyk] Upgrade ws from 7.4.0 to 8.0.0 #205

wants to merge 1 commit into from

Conversation

snyk-bot
Copy link
Contributor

Snyk has created this PR to upgrade ws from 7.4.0 to 8.0.0.

merge advice
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Warning: This is a major version upgrade, and may be a breaking change.

  • The recommended version is 12 versions ahead of your current version.
  • The recommended version was released a month ago, on 2021-07-28.

The recommended version fixes:

Severity Issue PriorityScore (*) Exploit Maturity
Regular Expression Denial of Service (ReDoS)
SNYK-JS-WS-1296835		 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes
Package name: ws
  • 8.0.0 - 2021-07-28

    Breaking changes

    • The WebSocket constructor now throws a SyntaxError if any of the
      subprotocol names are invalid or duplicated (0aecf0c).

    • The server now aborts the opening handshake if an invalid
      Sec-WebSocket-Protocol header field value is received (1877dde).

    • The protocols argument of handleProtocols hook is no longer an Array but
      a Set (1877dde).

    • The opening handshake is now aborted if the Sec-WebSocket-Extensions header
      field value is empty or it begins or ends with a white space (e814110).

    • Dropped support for Node.js < 10.0.0 (552b506).

    • The WebSocket constructor now throws a SyntaxError if the connection URL
      contains a fragment identifier or if the URL's protocol is not one of 'ws:',
      'wss:', or 'ws+unix:' (ebea038).

    • Text messages and close reasons are no longer decoded to strings. They are
      passed as Buffers to the listeners of their respective events. The listeners
      of the 'message' event now take a boolean argument specifying whether or not
      the message is binary (e173423).

      Existing code can be migrated by decoding the buffer explicitly.

      websocket.on('message', function message(data, isBinary) {
      const message = isBinary ? data : data.toString();
      // Continue as before.
      });

      websocket.on('close', function close(code, data) {
      const reason = data.toString();
      // Continue as before.
      });

    • The package now uses an ES module wrapper (78adf5f).

    • WebSocketServer.prototype.close() no longer closes existing connections
      (df7de57).

      Existing code can be migrated by closing the connections manually.

      websocketServer.close();
for (const ws of websocketServer.clients) {
  ws.terminate();
}

    • The callback of WebSocketServer.prototype.close() is now called with an
      error if the server is already closed (abde9cf).

    • WebSocket.prototype.addEventListener() is now a noop if the type argument
      is not one of 'close', 'error', 'message', or 'open' (a421eb5).

    • WebSocket.prototype.removeEventListener() now only removes listeners added
      with WebSocket.prototype.addEventListener() and only one at time (1bd93f0).

    • The value of the onclose, onerror, onmessage, and onopen properties is
      now null if the respective event handler is not set (45790db).

    • The OpenEvent class has been removed (c4394c3).

    Bug fixes

    • The event listeners added via handler properties are now independent from the
      event listeners added with WebSocket.prototype.addEventListener()
      (0b21c03).
  • 7.5.4 - 2021-08-28

    Bug fixes

  • 7.5.3 - 2021-07-10

    Bug fixes

    • The WebSocketServer constructor now throws an error if more than one of the
      noServer, server, and port options are specefied (66e58d2).
    • Fixed a bug where a 'close' event was emitted by a WebSocketServer before
      the internal HTTP/S server was actually closed (5a58730).
    • Fixed a bug that allowed WebSocket connections to be established after
      WebSocketServer.prototype.close() was called (772236a).
  • 7.5.2 - 2021-07-04

    Bug fixes

    • The opening handshake is now aborted if the client receives a
      Sec-WebSocket-Extensions header but no extension was requested or if the
      server indicates an extension not requested by the client (aca94c8).
  • 7.5.1 - 2021-06-29

    Bug fixes

    • Fixed an issue that prevented the connection from being closed properly if an
      error occurred simultaneously on both peers (b434b9f).
  • 7.5.0 - 2021-06-16

    Features

    • Some errors now have a code property describing the specific type of error
      that has occurred (#1901).

    Bug fixes

    • A close frame is now sent to the remote peer if an error (such as a data
      framing error) occurs (8806aa9).
    • The close code is now always 1006 if no close frame is received, even if the
      connection is closed due to an error (8806aa9).
  • 7.4.6 - 2021-05-25
  • 7.4.5 - 2021-04-18
  • 7.4.4 - 2021-03-06
  • 7.4.3 - 2021-02-02
  • 7.4.2 - 2020-12-29
  • 7.4.1 - 2020-12-04
  • 7.4.0 - 2020-11-08
from ws GitHub release notes
Commit messages
Package name: ws
  • bba3351 [dist] 8.0.0
  • c4394c3 [major] Overhaul event classes
  • 94a80cc [minor] Fix nits
  • 45790db [fix] Return `null` if the event handler is not set
  • 0b21c03 [fix] Make listeners added via event handler properties independent
  • 1bd93f0 [major] Ignore listeners not added with `Websocket#addEventListener()`
  • a421eb5 [major] Make `Websocket#addEventListener()` ignore non standard events
  • 77a675c [minor] Remove unneeded setters
  • 64b3c71 [pkg] Update mocha to version 8.4.0
  • abde9cf [major] Call the callback with an error if the server is closed
  • df7de57 [major] Do not close existing connections
  • 78adf5f [major] Add an ES module wrapper
  • e173423 [major] Do not decode `Buffer`s to strings
  • ebea038 [major] Throw an error if the connection URL is invalid
  • 552b506 [major] Drop support for Node.js < 10
  • e814110 [major] Make the Sec-WebSocket-Extensions header parser stricter
  • 1877dde [major] Validate the Sec-WebSocket-Protocol header
  • 0aecf0c [major] Validate subprotocol names
  • 4c1849a [dist] 7.5.3
  • 772236a [fix] Abort the handshake if the server is closing or closed
  • 5a58730 [fix] Emit the `'close'` event after the server is closed
  • ea63b29 [minor] Fix typo
  • 66e58d2 [fix] Make the `{noS,s}erver`, and `port` options mutually exclusive
  • ecb9d9e [minor] Improve JSDoc-inferred types (#1912)

Compare

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@snyk-bot