Skip to content

Bump ws from 8.20.0 to 8.20.1#72

Merged
github-actions[bot] merged 1 commit into
mainfrom
dependabot/npm_and_yarn/ws-8.20.1
May 19, 2026
Merged

Bump ws from 8.20.0 to 8.20.1#72
github-actions[bot] merged 1 commit into
mainfrom
dependabot/npm_and_yarn/ws-8.20.1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 19, 2026
edited
Loading

Bumps ws from 8.20.0 to 8.20.1.

Release notes

Sourced from ws's releases.

8.20.1

Bug fixes

  • Fixed an uninitialized memory disclosure issue in websocket.close() (c0327ec1).

Providing a TypedArray (e.g. Float32Array) as the reason argument for websocket.close(), rather than the supported string or Buffer types, caused uninitialized memory to be disclosed to the remote peer.

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer(
{ port: 0, skipUTF8Validation: true },
function () {
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port}, {
skipUTF8Validation: true
});
ws.on('close', function (code, reason) {
  deepStrictEqual(reason, Buffer.alloc(80));
});

}
);
wss.on('connection', function (ws) {
ws.close(1000, new Float32Array(20));
});

The issue was privately reported by Nikita Skovoroda.

Commits
  • 5d9b316 [dist] 8.20.1
  • c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
  • ce2a3d6 [ci] Test on node 26
  • 58e45b8 [ci] Do not test on node 25
  • 5f26c24 [ci] Run the lint step on node 24
  • See full diff in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 19, 2026
@dependabot
Bump ws from 8.20.0 to 8.20.1
62eb5d8 
Bumps [ws](https://github.com/websockets/ws) from 8.20.0 to 8.20.1.
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.20.0...8.20.1)

---
updated-dependencies:
- dependency-name: ws
  dependency-version: 8.20.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/ws-8.20.1 branch from 22a094f to 62eb5d8 Compare May 19, 2026 11:21
@github-actions github-actions Bot merged commit c1fa44e into main May 19, 2026
2 checks passed
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 19, 2026

Automerged
Reason: Default rule for package-lock: Minor and patch updates are merged
Merge method: merge

Dependabot Information:

  • Package name(s): ws
  • Update type: patch
  • Dependency type: package-lock
  • Previous version: 8.20.0
  • New version: 8.20.1

Modified Files:

  • package-lock.json

@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/ws-8.20.1 branch May 19, 2026 11:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@ltspicer ltspicer

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ltspicer