Commit 092099a
authored
chore(deps)(deps): bump ws and engine.io-client in /frontend/studyhub-app (#370)
Bumps [ws](https://github.com/websockets/ws) and
[engine.io-client](https://github.com/socketio/socket.io). These
dependencies needed to be updated together.
Updates `ws` from 8.20.0 to 8.21.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/websockets/ws/releases">ws's
releases</a>.</em></p>
<blockquote>
<h2>8.21.0</h2>
<h1>Features</h1>
<ul>
<li>Introduced the <code>maxBufferedChunks</code> and
<code>maxFragments</code> options (2b2abd45).</li>
</ul>
<h1>Bug fixes</h1>
<ul>
<li>Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).</li>
</ul>
<p>A high volume of tiny fragments and data chunks could be sent by a
peer, using
modest network traffic, to crash a <code>ws</code> server or client due
to OOM.</p>
<pre lang="js"><code>import { WebSocket, WebSocketServer } from 'ws';
<p>const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(<code>ws://localhost:${port}</code>);</p>
<p>ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});</p>
<p>ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(<code>client close - code: ${code} reason:
${reason.toString()}</code>);
});
});</p>
<p>wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(<code>server close - code: ${code} reason:
${reason.toString()}</code>);
});
});
</code></pre></p>
<p>The vulnerability was responsibly disclosed and fixed by <a
href="https://github.com/Nadav0077">Nadav Magier</a>.</p>
<p>In vulnerable versions, the issue can be mitigated by lowering the
value of the
<code>maxPayload</code> option if possible.</p>
<h2>8.20.1</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94"><code>bca91ad</code></a>
[dist] 8.21.0</li>
<li><a
href="https://github.com/websockets/ws/commit/2b2abd458a1b647d0b6033bd62a619c36189839a"><code>2b2abd4</code></a>
[security] Limit retained message parts</li>
<li><a
href="https://github.com/websockets/ws/commit/78eabe2a6677b231bf9c82601bde86ff91639490"><code>78eabe2</code></a>
[security] Add latest vulnerability to SECURITY.md</li>
<li><a
href="https://github.com/websockets/ws/commit/5d9b316230ea931532a6671cc450f18c11edd02f"><code>5d9b316</code></a>
[dist] 8.20.1</li>
<li><a
href="https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086"><code>c0327ec</code></a>
[security] Fix uninitialized memory disclosure in
<code>websocket.close()</code></li>
<li><a
href="https://github.com/websockets/ws/commit/ce2a3d62437995a47e6056d485a33d21b6a8f867"><code>ce2a3d6</code></a>
[ci] Test on node 26</li>
<li><a
href="https://github.com/websockets/ws/commit/58e45b872bb0f35a3edd553c27e105300a4f5bd0"><code>58e45b8</code></a>
[ci] Do not test on node 25</li>
<li><a
href="https://github.com/websockets/ws/commit/5f26c245231a4b018479a9269e8c3da4773fe42f"><code>5f26c24</code></a>
[ci] Run the lint step on node 24</li>
<li>See full diff in <a
href="https://github.com/websockets/ws/compare/8.20.0...8.21.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `engine.io-client` from 6.6.4 to 6.6.5
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/socketio/socket.io/releases">engine.io-client's
releases</a>.</em></p>
<blockquote>
<h2>engine.io-client@6.6.5</h2>
<p>The <code>ws</code> dependency was bumped to <code>~8.20.1</code>
following <a
href="https://github.com/advisories/GHSA-58qx-3vcg-4xpx">CVE-2026-45736</a>.</p>
<p>Note from the <code>ws</code> maintainers:</p>
<blockquote>
<p>Although the calculated CVSS severity is medium, the actual severity
is believed to be low, as the flaw is only exploitable through misuse
that is unlikely in practice.</p>
</blockquote>
<h3>Dependencies</h3>
<ul>
<li><a
href="https://github.com/websockets/ws/releases/tag/8.20.1"><code>ws@~8.20.1</code></a>
(<a
href="https://github.com/websockets/ws/compare/8.18.3...8.20.1">diff</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/socketio/socket.io/commit/8413bce4c11fe440516e51ac14be0f45a6f9e5e7"><code>8413bce</code></a>
chore(release): engine.io-client@6.6.5</li>
<li><a
href="https://github.com/socketio/socket.io/commit/c10fe07493890b8899511fca6bfe45dc1fa8dc34"><code>c10fe07</code></a>
refactor(eio-client): improve JSDoc documentation</li>
<li><a
href="https://github.com/socketio/socket.io/commit/9349b148c9d9369bf9e6c9cace99424d564ade01"><code>9349b14</code></a>
refactor(eio-client): remove unused import</li>
<li><a
href="https://github.com/socketio/socket.io/commit/ffe51e270afd63e641090152ed9ef7638635d54f"><code>ffe51e2</code></a>
chore(release): engine.io@6.6.8</li>
<li><a
href="https://github.com/socketio/socket.io/commit/f86b95fdba6dd260b3d2f57e69537aeb8de904bb"><code>f86b95f</code></a>
fix(eio): clean up resources upon WebTransport handshake failure</li>
<li><a
href="https://github.com/socketio/socket.io/commit/4276e5940815ad1343503f8ef5f147af5382aa42"><code>4276e59</code></a>
refactor(eio): fix typo in the <code>cookie</code> option</li>
<li><a
href="https://github.com/socketio/socket.io/commit/5257ef9adfa02a4e8f8eaa5f6810565f979ccc48"><code>5257ef9</code></a>
chore(deps): upgrade to ws@8.20.1 (<a
href="https://redirect.github.com/socketio/socket.io/issues/5439">#5439</a>)</li>
<li><a
href="https://github.com/socketio/socket.io/commit/439a8f669c6788b512dd76011c4476830d67515b"><code>439a8f6</code></a>
chore(release): engine.io@6.6.7</li>
<li><a
href="https://github.com/socketio/socket.io/commit/fc11285e14964c2132d122164bf130c355f60671"><code>fc11285</code></a>
fix(eio): close HTTP requests with invalid content type</li>
<li><a
href="https://github.com/socketio/socket.io/commit/b059af6b12e69729540e78751e9be080fd1e7fb5"><code>b059af6</code></a>
refactor(eio): use plain IncomingMessage in the public API</li>
<li>Additional commits viewable in <a
href="https://github.com/socketio/socket.io/compare/engine.io-client@6.6.4...engine.io-client@6.6.5">compare
view</a></li>
</ul>
</details>
<br />
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>1 parent ce82335 commit 092099a
1 file changed
Lines changed: 10 additions & 30 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
0 commit comments