[PR #480] [MERGED] Bump ws from 8.20.1 to 8.21.0 #3329

Closed
opened 2026-07-15 02:02:18 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/mountain-loop/yaak/pull/480
Author: @dependabot[bot]
Created: 6/20/2026
Status: Merged
Merged: 6/30/2026
Merged by: @gschier

Base: mainHead: dependabot/npm_and_yarn/ws-8.21.0


📝 Commits (1)

  • 0370f90 Bump ws from 8.20.1 to 8.21.0

📊 Changes

2 files changed (+5 additions, -5 deletions)

View changed files

📝 package-lock.json (+4 -4)
📝 packages/plugin-runtime/package.json (+1 -1)

📄 Description

Bumps ws from 8.20.1 to 8.21.0.

Release notes

Sourced from ws's releases.

8.21.0

Features

  • Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

  • Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';

const wss = new WebSocketServer({ port: 0 }, function () { const data = Buffer.alloc(1); const options = { fin: false }; const { port } = wss.address(); const ws = new WebSocket(ws://localhost:${port});

ws.on('open', function () { (function send() { ws.send(data, options, function (err) { if (err) return; send(); }); })(); });

ws.on('error', console.error); ws.on('close', function (code, reason) { console.log(client close - code: ${code} reason: ${reason.toString()}); }); });

wss.on('connection', function (ws) { ws.on('error', console.error); ws.on('close', function (code, reason) { console.log(server close - code: ${code} reason: ${reason.toString()}); }); });

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

Commits


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/mountain-loop/yaak/pull/480 **Author:** [@dependabot[bot]](https://github.com/apps/dependabot) **Created:** 6/20/2026 **Status:** ✅ Merged **Merged:** 6/30/2026 **Merged by:** [@gschier](https://github.com/gschier) **Base:** `main` ← **Head:** `dependabot/npm_and_yarn/ws-8.21.0` --- ### 📝 Commits (1) - [`0370f90`](https://github.com/mountain-loop/yaak/commit/0370f90d0548280a2f813ebb3d001f36965e480f) Bump ws from 8.20.1 to 8.21.0 ### 📊 Changes **2 files changed** (+5 additions, -5 deletions) <details> <summary>View changed files</summary> 📝 `package-lock.json` (+4 -4) 📝 `packages/plugin-runtime/package.json` (+1 -1) </details> ### 📄 Description Bumps [ws](https://github.com/websockets/ws) from 8.20.1 to 8.21.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/websockets/ws/releases">ws's releases</a>.</em></p> <blockquote> <h2>8.21.0</h2> <h1>Features</h1> <ul> <li>Introduced the <code>maxBufferedChunks</code> and <code>maxFragments</code> options (2b2abd45).</li> </ul> <h1>Bug fixes</h1> <ul> <li>Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).</li> </ul> <p>A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a <code>ws</code> server or client due to OOM.</p> <pre lang="js"><code>import { WebSocket, WebSocketServer } from 'ws'; <p>const wss = new WebSocketServer({ port: 0 }, function () { const data = Buffer.alloc(1); const options = { fin: false }; const { port } = wss.address(); const ws = new WebSocket(<code>ws://localhost:${port}</code>);</p> <p>ws.on('open', function () { (function send() { ws.send(data, options, function (err) { if (err) return; send(); }); })(); });</p> <p>ws.on('error', console.error); ws.on('close', function (code, reason) { console.log(<code>client close - code: ${code} reason: ${reason.toString()}</code>); }); });</p> <p>wss.on('connection', function (ws) { ws.on('error', console.error); ws.on('close', function (code, reason) { console.log(<code>server close - code: ${code} reason: ${reason.toString()}</code>); }); }); </code></pre></p> <p>The vulnerability was responsibly disclosed and fixed by <a href="https://github.com/Nadav0077">Nadav Magier</a>.</p> <p>In vulnerable versions, the issue can be mitigated by lowering the value of the <code>maxPayload</code> option if possible.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94"><code>bca91ad</code></a> [dist] 8.21.0</li> <li><a href="https://github.com/websockets/ws/commit/2b2abd458a1b647d0b6033bd62a619c36189839a"><code>2b2abd4</code></a> [security] Limit retained message parts</li> <li><a href="https://github.com/websockets/ws/commit/78eabe2a6677b231bf9c82601bde86ff91639490"><code>78eabe2</code></a> [security] Add latest vulnerability to SECURITY.md</li> <li>See full diff in <a href="https://github.com/websockets/ws/compare/8.20.1...8.21.0">compare view</a></li> </ul> </details> <br /> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-07-15 02:02:18 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/yaak#3329