Skip to content

Bump ws and socket.io-client#1

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-ca4d9ec7f8
Closed

Bump ws and socket.io-client#1
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-ca4d9ec7f8

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 13, 2026
edited
Loading

Copy link
Copy Markdown

Bumps ws to 8.20.1 and updates ancestor dependency socket.io-client. These dependencies need to be updated together.

Updates ws from 8.17.1 to 8.20.1

Release notes

Sourced from ws's releases.

8.20.1

Bug fixes

  • Fixed an uninitialized memory disclosure issue in websocket.close() (c0327ec1).

Providing a TypedArray (e.g. Float32Array) as the reason argument for websocket.close(), rather than the supported string or Buffer types, caused uninitialized memory to be disclosed to the remote peer.

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer(
{ port: 0, skipUTF8Validation: true },
function () {
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port}, {
skipUTF8Validation: true
});
ws.on('close', function (code, reason) {
  deepStrictEqual(reason, Buffer.alloc(80));
});

}
);
wss.on('connection', function (ws) {
ws.close(1000, new Float32Array(20));
});

The issue was privately reported by Nikita Skovoroda.

8.20.0

Features

  • Added exports for the PerMessageDeflate class and utilities for the Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1f).

8.19.0

Features

  • Added the closeTimeout option (#2308).

Bug fixes

  • Handled a forthcoming breaking change in Node.js core (19984854).

... (truncated)

Commits
  • 5d9b316 [dist] 8.20.1
  • c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
  • ce2a3d6 [ci] Test on node 26
  • 58e45b8 [ci] Do not test on node 25
  • 5f26c24 [ci] Run the lint step on node 24
  • 8439255 [dist] 8.20.0
  • d3503c1 [minor] Export the PerMessageDeflate class and header utils
  • 3ee5349 [api] Convert the isServer and maxPayload parameters to options
  • 91707b4 [doc] Add missing space
  • 8b55319 [pkg] Update eslint to version 10.0.1
  • Additional commits viewable in compare view

Updates socket.io-client from 4.7.4 to 4.8.3

Release notes

Sourced from socket.io-client's releases.

socket.io-client@4.8.3

There were some minor bug fixes on the server side, which mandate a client bump.

Dependencies

socket.io-client@4.8.2

Bug Fixes

  • bundle: do not mangle the "_placeholder" attribute (bis) (cdae019)
  • drain queue before emitting "connect" (#5259) (d19928e)

Dependencies

socket.io-client@4.8.1

Bug Fixes

  • bundle: do not mangle the "_placeholder" attribute (ca9e994)

Dependencies

socket.io-client@4.8.0

Features

Custom transport implementations

The transports option now accepts an array of transport implementations:

import { io } from "socket.io-client";
import { XHR, WebSocket } from "engine.io-client";
const socket = io({
transports: [XHR, WebSocket]
});

Here is the list of provided implementations:

| Transport | Description |

... (truncated)

Commits
  • e9e5bed chore(release): socket.io-client@4.8.3
  • 9581f9b fix(sio): do not throw when calling io.close() on a stopped server
  • 579d43f refactor: remove unused files
  • ee9aac3 chore(release): socket.io-parser@4.2.5
  • 968277c chore(release): socket.io-adapter@2.5.6
  • 2bf16bd chore(release): engine.io-client@6.6.4
  • ad61607 docs(eio): fix link in the release notes
  • dd71792 chore(release): socket.io@4.8.2
  • bb0b480 fix(sio): improve io.close() function (#5344)
  • 161be91 test(sio): pin version of the client bundle in the tests
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for socket.io-client since your current version.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 13, 2026
@dependabot
Bump ws and socket.io-client
2895dd2 
Bumps [ws](https://github.com/websockets/ws) to 8.20.1 and updates ancestor dependency [socket.io-client](https://github.com/socketio/socket.io). These dependencies need to be updated together.


Updates `ws` from 8.17.1 to 8.20.1
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.17.1...8.20.1)

Updates `socket.io-client` from 4.7.4 to 4.8.3
- [Release notes](https://github.com/socketio/socket.io/releases)
- [Changelog](https://github.com/socketio/socket.io/blob/main/CHANGELOG.md)
- [Commits](https://github.com/socketio/socket.io/compare/4.7.4...socket.io-client@4.8.3)

---
updated-dependencies:
- dependency-name: socket.io-client
  dependency-version: 4.8.3
  dependency-type: direct:production
- dependency-name: ws
  dependency-version: 8.20.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/multi-ca4d9ec7f8 branch from af583c0 to 2895dd2 Compare June 13, 2026 19:47
@dependabot @github

dependabot Bot commented on behalf of github Jun 20, 2026

Copy link
Copy Markdown
Author

Superseded by #7.

@dependabot dependabot Bot closed this Jun 20, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/multi-ca4d9ec7f8 branch June 20, 2026 22:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants