Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency ws to v5.2.3 [security] #16733

Merged
merged 1 commit into from
Jun 9, 2021
Merged

chore(deps): update dependency ws to v5.2.3 [security] #16733

merged 1 commit into from
Jun 9, 2021

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 28, 2021
edited
Loading

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
ws 5.2.2 -> 5.2.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2021-32640

Impact

A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server.

Proof of concept

for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
  const value = 'b' + ' '.repeat(length) + 'x';
  const start = process.hrtime.bigint();

  value.trim().split(/ *, */);

  const end = process.hrtime.bigint();

  console.log('length = %d, time = %f ns', length, end - start);
}

Patches

The vulnerability was fixed in [email protected] (websockets/ws@00c425e) and backported to [email protected] (websockets/ws@78c676d) and [email protected] (websockets/ws@76d47c1).

Workarounds

In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

Credits

The vulnerability was responsibly disclosed along with a fix in private by Robert McLaughlin from University of California, Santa Barbara.

Release Notes

websockets/ws

v5.2.3

Compare Source

Bug fixes

Configuration

📅 Schedule: "" in timezone America/New_York.

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box.

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate renovate bot requested a review from a team as a code owner May 28, 2021 19:47
@renovate renovate bot requested review from flotwig and kuceb and removed request for a team May 28, 2021 19:47
@cypress-bot
Copy link
Contributor

cypress-bot bot commented May 28, 2021

See the guidelines for reviewing dependency updates for info on how to review dependency update PRs.

@renovate renovate bot added renovate Triggered by renovatebot type: dependencies labels May 28, 2021
flotwig
flotwig previously approved these changes May 28, 2021
View reviewed changes
Copy link
Contributor

@flotwig flotwig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

devDependency

@cypress
Copy link

cypress bot commented May 28, 2021
edited
Loading


Test summary

200 0 1 0Flakiness 0

Run details
Project cypress
Status Passed
Commit f57071e
Started Jun 9, 2021 7:56 PM
Ended Jun 9, 2021 8:05 PM
Duration 08:55 💡
OS Linux Debian - 10.8
Browser Electron 89

View run in Cypress Dashboard ➡️

This comment has been generated by cypress-bot as a result of this project's GitHub integration settings. You can manage this integration in this project's settings in the Cypress Dashboard

@renovate renovate bot changed the title chore(deps): update dependency ws to v7 [security] chore(deps): update dependency ws to v7 [security] - autoclosed May 28, 2021
@renovate renovate bot closed this May 28, 2021
@renovate renovate bot deleted the renovate/npm-ws-vulnerability branch May 28, 2021 23:12
@renovate renovate bot changed the title chore(deps): update dependency ws to v7 [security] - autoclosed chore(deps): update dependency ws to v7 [security] May 29, 2021
@renovate renovate bot reopened this May 29, 2021
@renovate renovate bot restored the renovate/npm-ws-vulnerability branch May 29, 2021 00:21
@renovate renovate bot force-pushed the renovate/npm-ws-vulnerability branch 3 times, most recently from 5d42032 to 4cf6c72 Compare June 1, 2021 17:03
@renovate renovate bot changed the title chore(deps): update dependency ws to v7 [security] chore(deps): update dependency ws to v7 [security] - autoclosed Jun 1, 2021
@renovate renovate bot closed this Jun 1, 2021
@renovate renovate bot deleted the renovate/npm-ws-vulnerability branch June 1, 2021 21:06
@renovate renovate bot changed the title chore(deps): update dependency ws to v7 [security] - autoclosed chore(deps): update dependency ws to v7 [security] Jun 1, 2021
@renovate renovate bot reopened this Jun 1, 2021
@renovate renovate bot restored the renovate/npm-ws-vulnerability branch June 1, 2021 22:01
@renovate renovate bot force-pushed the renovate/npm-ws-vulnerability branch from 4cf6c72 to e4a9d92 Compare June 1, 2021 22:02
@renovate renovate bot changed the title chore(deps): update dependency ws to v7 [security] chore(deps): update dependency ws to v6 [security] Jun 1, 2021
@renovate renovate bot force-pushed the renovate/npm-ws-vulnerability branch 3 times, most recently from 65a4964 to fbe70b0 Compare June 2, 2021 19:51
@renovate renovate bot force-pushed the renovate/npm-ws-vulnerability branch 13 times, most recently from f2c1257 to 5843dcb Compare June 8, 2021 20:21
@renovate renovate bot changed the title chore(deps): update dependency ws to v6 [security] chore(deps): update dependency ws to v6 [security] - autoclosed Jun 8, 2021
@renovate renovate bot closed this Jun 8, 2021
@renovate renovate bot deleted the renovate/npm-ws-vulnerability branch June 8, 2021 22:10
@renovate renovate bot changed the title chore(deps): update dependency ws to v6 [security] - autoclosed chore(deps): update dependency ws to v6 [security] Jun 9, 2021
@renovate renovate bot reopened this Jun 9, 2021
@renovate renovate bot restored the renovate/npm-ws-vulnerability branch June 9, 2021 13:52
@renovate renovate bot force-pushed the renovate/npm-ws-vulnerability branch from 5843dcb to 56310fb Compare June 9, 2021 13:53
@renovate renovate bot changed the title chore(deps): update dependency ws to v6 [security] chore(deps): update dependency ws to v5.2.3 [security] Jun 9, 2021
jennifer-shehane
jennifer-shehane previously approved these changes Jun 9, 2021
View reviewed changes
Copy link
Member

@jennifer-shehane jennifer-shehane left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great, backport fix so we don't have to upgrade to 7.0. Although this is not a vulnerability we need to worry about, going to approve to close this PR.

@renovate renovate bot force-pushed the renovate/npm-ws-vulnerability branch from 56310fb to f57071e Compare June 9, 2021 19:40
@jennifer-shehane jennifer-shehane merged commit e80da8f into develop Jun 9, 2021
@renovate renovate bot deleted the renovate/npm-ws-vulnerability branch June 9, 2021 20:16
Calyhre pushed a commit to Calyhre/cypress that referenced this pull request Jun 22, 2021
@renovate @renovate-bot @Calyhre
chore(deps): update dependency ws to v5.2.3 [security] (cypress-io#16733
39038b0 
)

Co-authored-by: Renovate Bot <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jennifer-shehane jennifer-shehane jennifer-shehane left review comments

@flotwig flotwig flotwig left review comments

@kuceb kuceb Awaiting requested review from kuceb

Assignees
No one assigned
Labels
renovate Triggered by renovatebot type: dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@flotwig @jennifer-shehane @renovate-bot