Skip to content
GitLab
    • Explore Projects Groups Snippets
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • N node-http-proxy
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 482
    • Issues 482
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 102
    • Merge requests 102
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • http ... PARTY!
  • node-http-proxy
  • Merge requests
  • !1361

[dist] Update dependency ws to v3 [SECURITY]

  • Review changes

  • Download
  • Email patches
  • Plain diff
Merged Administrator requested to merge renovate/npm-ws-vulnerability into master 5 years ago
  • Overview 3
  • Commits 7
  • Pipelines 0
  • Changes 10

Created by: renovate[bot]

This PR contains the following updates:

Package Type Update Change
ws devDependencies major ^0.8.0 -> ^3.0.0

GitHub Vulnerability Alerts

CVE-2016-10518

A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but internally ws always transforms all data that we need to send to a Buffer instance and that is where the vulnerability existed. ws didn't do any checks for the type of data it was sending. With buffers in node when you allocate it when a number instead of a string it will allocate the amount of bytes.

CVE-2016-10542

ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a ws server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.

GHSA-5v72-xg48-5rpm / WS-2017-0421

Affected version of ws (0.2.6--3.3.0) are vulnerable to A specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash.


Release Notes

websockets/ws

v3.3.1

Compare Source

Bug fixes

  • Fixed a DoS vulnerability (c4fe466).

A specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash.

const WebSocket = require('ws');
const net = require('net');

const wss = new WebSocket.Server({ port: 3000 }, function () {
  const payload = 'constructor';  // or ',;constructor'

  const request = [
    'GET / HTTP/1.1',
    'Connection: Upgrade',
    'Sec-WebSocket-Key: test',
    'Sec-WebSocket-Version: 8',
    `Sec-WebSocket-Extensions: ${payload}`,
    'Upgrade: websocket',
    '\r\n'
  ].join('\r\n');

  const socket = net.connect(3000, function () {
    socket.resume();
    socket.write(request);
  });
});

The vulnerability has been privately reported by Nick Starke and Ryan Knell of Sonatype Security Research and promptly fixed. Please update now!


Renovate configuration

:date: Schedule: "" (UTC).

:vertical_traffic_light: Automerge: Disabled by config. Please merge this manually once you are satisfied.

:recycle: Rebasing: Whenever PR becomes conflicted, or if you modify the PR title to begin with "rebase!".

:no_bell: Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot. View repository job log here.

Checking approval status

Merged by (Jul 23, 2025 5:35am UTC)

Loading

Activity


  • Administrator
    Administrator @root · 5 years ago
    Author Contributor

    Created by: renovate[bot]

    PR has been edited

    :construction_worker: This PR has received other commits, so Renovate will stop updating it to avoid conflicts or other problems. If you wish to abandon your changes and have Renovate start over you may click the "rebase" checkbox in the PR body/description.

  • Administrator
    Administrator @root · 5 years ago
    Author Contributor

    Created by: codecov-io

    Codecov Report

    :exclamation: No coverage uploaded for pull request base (master@acdbec0). Click here to learn what that means. The diff coverage is n/a.

    Impacted file tree graph

    @@            Coverage Diff            @@
    ##             master    #1361   +/-   ##
    =========================================
      Coverage          ?   92.35%           
    =========================================
      Files             ?        6           
      Lines             ?      314           
      Branches          ?        0           
    =========================================
      Hits              ?      290           
      Misses            ?       24           
      Partials          ?        0

    Continue to review full report at Codecov.

    Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update acdbec0...4241a39. Read the comment docs.

  • Administrator
    Administrator @root · 5 years ago
    Author Contributor

    Merged by: indexzero at 2019-08-22 07:12:53 UTC

  • Administrator closed 5 years ago

    closed

Please register or sign in to reply
0 Assignees
None
Assign to
0 Reviewers
Request review from
Labels
0
None
0
None
    Assign labels
  • Manage project labels

Milestone
No milestone
None
None
Time tracking
Lock merge request
Unlocked
participants
Reference:
Source branch: renovate/npm-ws-vulnerability

Menu

Explore Projects Groups Snippets