Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump ws from 7.4.5 to 7.4.6 #34

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

dependabot[bot]
Copy link

@dependabot dependabot bot commented on behalf of github Nov 4, 2021

Bumps ws from 7.4.5 to 7.4.6.

Release notes

Sourced from ws's releases.

7.4.6

Bug fixes

  • Fixed a ReDoS vulnerability (00c425ec).

A specially crafted value of the Sec-Websocket-Protocol header could be used to significantly slow down a ws server.

for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
  const value = 'b' + ' '.repeat(length) + 'x';
  const start = process.hrtime.bigint();
value.trim().split(/ *, */);
const end = process.hrtime.bigint();
console.log('length = %d, time = %f ns', length, end - start);
}

The vulnerability was responsibly disclosed along with a fix in private by Robert McLaughlin from University of California, Santa Barbara.

In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Nov 4, 2021
@dependabot dependabot bot mentioned this pull request Nov 4, 2021
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch 3 times, most recently from 2ea9fb0 to ce28379 Compare November 18, 2021 14:11
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch 2 times, most recently from 4795803 to c9a6d4d Compare December 11, 2021 00:05
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch from c9a6d4d to 6022712 Compare December 17, 2021 21:30
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch from 6022712 to 9d15484 Compare January 14, 2022 19:49
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch 2 times, most recently from ef258fe to 8738bb5 Compare January 30, 2022 11:10
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch 2 times, most recently from dedc362 to fddfa00 Compare February 3, 2022 14:13
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch 3 times, most recently from e1c8791 to 2cb223b Compare February 18, 2022 11:43
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch from 2cb223b to 1174ac4 Compare March 1, 2022 18:31
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch from 1174ac4 to 724551d Compare March 10, 2022 10:44
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch from 724551d to 89ecf38 Compare March 23, 2022 19:24
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch from 89ecf38 to 66e366d Compare August 17, 2022 15:16
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch 2 times, most recently from b10d707 to 1245de3 Compare September 7, 2022 17:52
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch 3 times, most recently from 8ae2c4c to de25167 Compare September 16, 2022 22:46
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch 3 times, most recently from ca5ff9f to 1ed0dc3 Compare September 29, 2022 10:33
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch 2 times, most recently from c1b4c83 to c10ecfe Compare October 13, 2022 10:45
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch 2 times, most recently from 3fbbbe9 to 8bd68d2 Compare October 26, 2022 20:39
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch from 8bd68d2 to 378766f Compare October 28, 2022 00:04
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch from 378766f to 115a751 Compare November 4, 2022 00:17
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch from 115a751 to c90ced6 Compare November 16, 2022 23:21
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch 2 times, most recently from 0e0210f to 36d1a7d Compare November 29, 2022 15:19
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch 2 times, most recently from c88e988 to 2e512e4 Compare January 12, 2023 01:52
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch from 2e512e4 to c6a80c7 Compare January 17, 2023 14:53
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch 4 times, most recently from f43acd3 to 67bd822 Compare February 17, 2023 14:28
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch 3 times, most recently from 6e40e5e to 341a763 Compare March 3, 2023 13:11
Bumps [ws](https://github.com/websockets/ws) from 7.4.5 to 7.4.6.
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@7.4.5...7.4.6)

---
updated-dependencies:
- dependency-name: ws
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/ws-7.4.6 branch from 341a763 to 7a330f9 Compare March 7, 2023 17:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants