-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(deps): update dependency ws to v8.17.1 [security] - autoclosed #6622
Conversation
Hey there and thank you for opening this pull request! 👋 We require pull request titles to follow the Conventional Commits specification and it looks like your proposed title needs to be adjusted. Your PR title is: Details: Unknown scope "deps" found in pull request title "fix(deps): update dependency ws to v8.17.1 [security] - autoclosed". Scope must match one of: root, api, dashboard, inbound-mail, web, webhook, widget, worker, ws, ee-auth, ee-billing, ee-dal, ee-shared-services, ee-translation, application-generic, automation, dal, design-system, embed, novui, testing, client, framework, headless, js, nest, nextjs, node, notification-center, novu, providers, react, react-native, shared, stateless, nestjs, nextjs. |
✅ Deploy Preview for novu-stg-vite-dashboard-poc ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
5245f95
to
cf4d7d5
Compare
cf4d7d5
to
4fb9098
Compare
4fb9098
to
276a403
Compare
276a403
to
86bae84
Compare
86bae84
to
e419f34
Compare
e419f34
to
80d6b26
Compare
80d6b26
to
c31ff77
Compare
8a2a53d
to
062b6e7
Compare
062b6e7
to
6f3824d
Compare
6f3824d
to
4ff4fe2
Compare
4ff4fe2
to
d82a132
Compare
d82a132
to
84c88c9
Compare
84c88c9
to
ef96239
Compare
ef96239
to
0d6f789
Compare
This PR contains the following updates:
8.16.0
->8.17.1
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2024-37890
Impact
A request with a number of headers exceeding the
server.maxHeadersCount
threshold could be used to crash a ws server.Proof of concept
Patches
The vulnerability was fixed in [email protected] (websockets/ws@e55e510) and backported to [email protected] (websockets/ws@22c2876), [email protected] (websockets/ws@eeb76d3), and [email protected] (websockets/ws@4abd8f6)
Workarounds
In vulnerable versions of ws, the issue can be mitigated in the following ways:
--max-http-header-size=size
and/or themaxHeaderSize
options so that no more headers than theserver.maxHeadersCount
limit can be sent.server.maxHeadersCount
to0
so that no limit is applied.Credits
The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.
References
Release Notes
websockets/ws (ws)
v8.17.1
Compare Source
Bug fixes
A request with a number of headers exceeding the[
server.maxHeadersCount
][server.maxHeadersCount]threshold could be used to crash a ws server.
The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.
In vulnerable versions of ws, the issue can be mitigated in the following ways:
[
--max-http-header-size=size
][--max-http-header-size=size] and/or the [maxHeaderSize
][maxHeaderSize] options sothat no more headers than the
server.maxHeadersCount
limit can be sent.server.maxHeadersCount
to0
so that no limit is applied.v8.17.0
Compare Source
Features
WebSocket
constructor now accepts thecreateConnection
option (#2219).Other notable changes
allowSynchronousEvents
option has been changed totrue
(#2221).This is a breaking change in a patch release. The assumption is that the option
is not widely used.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.