[Security] Bump ws from 1.0.1 to 8.0.0

[dependabot-preview]

Bumps ws from 1.0.1 to 8.0.0. This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

High severity vulnerability that affects ws ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a ws server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.

Affected versions: < 1.1.1

Sourced from The Node Security Working Group.

DoS due to excessively large websocket message ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455"

By sending an overly long websocket payload to a ws server, it is possible to crash the node process.

Affected versions: <=1.1.0

Sourced from The GitHub Security Advisory Database.

Denial of Service in ws Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent.

Proof of concept

const WebSocket = require('ws');
const net = require('net');
const wss = new WebSocket.Server({ port: 3000 }, function () {
const payload = 'constructor';  // or ',;constructor'
const request = [
'GET / HTTP/1.1',
'Connection: Upgrade',
'Sec-WebSocket-Key: test',
'Sec-WebSocket-Version: 8',
Sec-WebSocket-Extensions: ${payload},
'Upgrade: websocket',
'\r\n'
].join('\r\n');
</tr></table>

... (truncated)

Affected versions: >= 0.2.6 < 1.1.5

Sourced from The GitHub Security Advisory Database.

ReDoS in Sec-Websocket-Protocol header

Impact

A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server.

Proof of concept

for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
  const value = 'b' + ' '.repeat(length) + 'x';
  const start = process.hrtime.bigint();
value.trim().split(/ *, */);
const end = process.hrtime.bigint();
console.log('length = %d, time = %f ns', length, end - start);
}

Patches

... (truncated)

Affected versions: < 6.2.2

Sourced from The GitHub Security Advisory Database.

ReDoS in Sec-Websocket-Protocol header

Impact

A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server.

Proof of concept

for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
  const value = 'b' + ' '.repeat(length) + 'x';
  const start = process.hrtime.bigint();
value.trim().split(/ *, */);
const end = process.hrtime.bigint();
console.log('length = %d, time = %f ns', length, end - start);
}

Patches

... (truncated)

Affected versions: < 5.2.3

Release notes

Sourced from ws's releases.

8.0.0

Breaking changes

• The WebSocket constructor now throws a SyntaxError if any of the subprotocol names are invalid or duplicated (0aecf0c9).

• The server now aborts the opening handshake if an invalid Sec-WebSocket-Protocol header field value is received (1877ddeb).

• The protocols argument of handleProtocols hook is no longer an Array but a Set (1877ddeb).

• The opening handshake is now aborted if the Sec-WebSocket-Extensions header field value begins or ends with a white space (e814110e).

• Dropped support for Node.js < 10.0.0 (552b5067).

• The WebSocket constructor now throws a SyntaxError if the connection URL contains a fragment identifier or if the URL's protocol is not one of 'ws:', 'wss:', or 'ws+unix:' (ebea038f).

• Text messages and close reasons are no longer decoded to strings. They are passed as Buffers to the listeners of their respective events. The listeners of the 'message' event now take a boolean argument specifying whether or not the message is binary (e173423c).

  Existing code can be migrated by decoding the buffer explicitly.

  websocket.on('message', function message(data, isBinary) {
    const message = isBinary ? data : data.toString();
    // Continue as before.
  });
  websocket.on('close', function close(code, data) {
  const reason = data.toString();
  // Continue as before.
  });

• The package now uses an ES module wrapper (78adf5f7).

• WebSocketServer.prototype.close() no longer closes existing connections (df7de574).

  Existing code can be migrated by closing the connections manually.

  websocketServer.close();
  for (const ws of websocketServer.clients) {
    ws.terminate();
  }

• The callback of WebSocketServer.prototype.close() is now called with an error if the server is already closed (abde9cfc).

• Websocket.prototype.addEventListener() is now a noop if the type argument

... (truncated)

Commits

• bba3351 [dist] 8.0.0
• c4394c3 [major] Overhaul event classes
• 94a80cc [minor] Fix nits
• 45790db [fix] Return null if the event handler is not set
• 0b21c03 [fix] Make listeners added via event handler properties independent
• 1bd93f0 [major] Ignore listeners not added with Websocket#addEventListener()
• a421eb5 [major] Make Websocket#addEventListener() ignore non standard events
• 77a675c [minor] Remove unneeded setters
• 64b3c71 [pkg] Update mocha to version 8.4.0
• abde9cf [major] Call the callback with an error if the server is closed
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by lpinca, a new releaser for ws since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)