chore(deps): update dependency ws to v6.2.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
ws	6.2.1 -> 6.2.2

GitHub Vulnerability Alerts

CVE-2021-32640

Impact

A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server.

Proof of concept

for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
  const value = 'b' + ' '.repeat(length) + 'x';
  const start = process.hrtime.bigint();

  value.trim().split(/ *, */);

  const end = process.hrtime.bigint();

  console.log('length = %d, time = %f ns', length, end - start);
}

Patches

The vulnerability was fixed in [email protected] (websockets/ws@00c425e) and backported to [email protected] (websockets/ws@78c676d).

Workarounds

In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

Credits

The vulnerability was responsibly disclosed along with a fix in private by Robert McLaughlin from University of California, Santa Barbara.

References

• GHSA-6fc8-4gx4-v693
• https://nvd.nist.gov/vuln/detail/CVE-2021-32640
• websockets/ws@00c425e
• Backport Security Fix to 6.2.1 websockets/ws#1895

---

Release Notes

websockets/ws

v6.2.2

Compare Source

Bug fixes

• Backported 00c425e to the 6.x release line (78c676d).

---

Configuration

📅 Schedule: "" in timezone America/Los_Angeles.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.

[wbruno]

can we merge this PR?

[glasser]

We can merge it but I don't think it fixes the underlying issue that subscriptions-transport-ws has a dependency on ws v5 which is vulnerable.

All ws dependencies are removed in the under-active-development release-3.0 branch. I'm happy to review and merge and release a subscriptions-transport-ws PR that upgrades its dependency to something more modern but otherwise am focused on "drop this dependency entirely" instead of "figure out if it's OK to upgrade a dependency of an essentially unmaintained package (subscriptions-transport-ws)".

[glasser]

(Merged, but to be clear: this updates a dev dependency at the top level of the monorepo that gets installed when actively developing this repo, and has no effect on the published dependencies of any of the actual packages.)

[glasser]

You can now upgrade to [email protected] which has the security fix with no major version changes. Alternatively, you can upgrade to [email protected] which allows you to use ws 6 or 7; Apollo Server v2.25.1 updates all relevant dependencies.