Skip to content

Commit 092099a

Browse files
chore(deps)(deps): bump ws and engine.io-client in /frontend/studyhub-app (#370)
Bumps [ws](https://github.com/websockets/ws) and [engine.io-client](https://github.com/socketio/socket.io). These dependencies needed to be updated together. Updates `ws` from 8.20.0 to 8.21.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/websockets/ws/releases">ws's releases</a>.</em></p> <blockquote> <h2>8.21.0</h2> <h1>Features</h1> <ul> <li>Introduced the <code>maxBufferedChunks</code> and <code>maxFragments</code> options (2b2abd45).</li> </ul> <h1>Bug fixes</h1> <ul> <li>Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).</li> </ul> <p>A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a <code>ws</code> server or client due to OOM.</p> <pre lang="js"><code>import { WebSocket, WebSocketServer } from 'ws'; <p>const wss = new WebSocketServer({ port: 0 }, function () { const data = Buffer.alloc(1); const options = { fin: false }; const { port } = wss.address(); const ws = new WebSocket(<code>ws://localhost:${port}</code>);</p> <p>ws.on('open', function () { (function send() { ws.send(data, options, function (err) { if (err) return; send(); }); })(); });</p> <p>ws.on('error', console.error); ws.on('close', function (code, reason) { console.log(<code>client close - code: ${code} reason: ${reason.toString()}</code>); }); });</p> <p>wss.on('connection', function (ws) { ws.on('error', console.error); ws.on('close', function (code, reason) { console.log(<code>server close - code: ${code} reason: ${reason.toString()}</code>); }); }); </code></pre></p> <p>The vulnerability was responsibly disclosed and fixed by <a href="https://github.com/Nadav0077">Nadav Magier</a>.</p> <p>In vulnerable versions, the issue can be mitigated by lowering the value of the <code>maxPayload</code> option if possible.</p> <h2>8.20.1</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94"><code>bca91ad</code></a> [dist] 8.21.0</li> <li><a href="https://github.com/websockets/ws/commit/2b2abd458a1b647d0b6033bd62a619c36189839a"><code>2b2abd4</code></a> [security] Limit retained message parts</li> <li><a href="https://github.com/websockets/ws/commit/78eabe2a6677b231bf9c82601bde86ff91639490"><code>78eabe2</code></a> [security] Add latest vulnerability to SECURITY.md</li> <li><a href="https://github.com/websockets/ws/commit/5d9b316230ea931532a6671cc450f18c11edd02f"><code>5d9b316</code></a> [dist] 8.20.1</li> <li><a href="https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086"><code>c0327ec</code></a> [security] Fix uninitialized memory disclosure in <code>websocket.close()</code></li> <li><a href="https://github.com/websockets/ws/commit/ce2a3d62437995a47e6056d485a33d21b6a8f867"><code>ce2a3d6</code></a> [ci] Test on node 26</li> <li><a href="https://github.com/websockets/ws/commit/58e45b872bb0f35a3edd553c27e105300a4f5bd0"><code>58e45b8</code></a> [ci] Do not test on node 25</li> <li><a href="https://github.com/websockets/ws/commit/5f26c245231a4b018479a9269e8c3da4773fe42f"><code>5f26c24</code></a> [ci] Run the lint step on node 24</li> <li>See full diff in <a href="https://github.com/websockets/ws/compare/8.20.0...8.21.0">compare view</a></li> </ul> </details> <br /> Updates `engine.io-client` from 6.6.4 to 6.6.5 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/socketio/socket.io/releases">engine.io-client's releases</a>.</em></p> <blockquote> <h2>engine.io-client@6.6.5</h2> <p>The <code>ws</code> dependency was bumped to <code>~8.20.1</code> following <a href="https://github.com/advisories/GHSA-58qx-3vcg-4xpx">CVE-2026-45736</a>.</p> <p>Note from the <code>ws</code> maintainers:</p> <blockquote> <p>Although the calculated CVSS severity is medium, the actual severity is believed to be low, as the flaw is only exploitable through misuse that is unlikely in practice.</p> </blockquote> <h3>Dependencies</h3> <ul> <li><a href="https://github.com/websockets/ws/releases/tag/8.20.1"><code>ws@~8.20.1</code></a> (<a href="https://github.com/websockets/ws/compare/8.18.3...8.20.1">diff</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/socketio/socket.io/commit/8413bce4c11fe440516e51ac14be0f45a6f9e5e7"><code>8413bce</code></a> chore(release): engine.io-client@6.6.5</li> <li><a href="https://github.com/socketio/socket.io/commit/c10fe07493890b8899511fca6bfe45dc1fa8dc34"><code>c10fe07</code></a> refactor(eio-client): improve JSDoc documentation</li> <li><a href="https://github.com/socketio/socket.io/commit/9349b148c9d9369bf9e6c9cace99424d564ade01"><code>9349b14</code></a> refactor(eio-client): remove unused import</li> <li><a href="https://github.com/socketio/socket.io/commit/ffe51e270afd63e641090152ed9ef7638635d54f"><code>ffe51e2</code></a> chore(release): engine.io@6.6.8</li> <li><a href="https://github.com/socketio/socket.io/commit/f86b95fdba6dd260b3d2f57e69537aeb8de904bb"><code>f86b95f</code></a> fix(eio): clean up resources upon WebTransport handshake failure</li> <li><a href="https://github.com/socketio/socket.io/commit/4276e5940815ad1343503f8ef5f147af5382aa42"><code>4276e59</code></a> refactor(eio): fix typo in the <code>cookie</code> option</li> <li><a href="https://github.com/socketio/socket.io/commit/5257ef9adfa02a4e8f8eaa5f6810565f979ccc48"><code>5257ef9</code></a> chore(deps): upgrade to ws@8.20.1 (<a href="https://redirect.github.com/socketio/socket.io/issues/5439">#5439</a>)</li> <li><a href="https://github.com/socketio/socket.io/commit/439a8f669c6788b512dd76011c4476830d67515b"><code>439a8f6</code></a> chore(release): engine.io@6.6.7</li> <li><a href="https://github.com/socketio/socket.io/commit/fc11285e14964c2132d122164bf130c355f60671"><code>fc11285</code></a> fix(eio): close HTTP requests with invalid content type</li> <li><a href="https://github.com/socketio/socket.io/commit/b059af6b12e69729540e78751e9be080fd1e7fb5"><code>b059af6</code></a> refactor(eio): use plain IncomingMessage in the public API</li> <li>Additional commits viewable in <a href="https://github.com/socketio/socket.io/compare/engine.io-client@6.6.4...engine.io-client@6.6.5">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
1 parent ce82335 commit 092099a

1 file changed

Lines changed: 10 additions & 30 deletions

File tree

frontend/studyhub-app/package-lock.json

Lines changed: 10 additions & 30 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)