6902e55256
Summary: Bumps [ws](https://github.com/websockets/ws) from 7.3.0 to 7.4.6. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/websockets/ws/releases">ws's releases</a>.</em></p> <blockquote> <h2>7.4.6</h2> <h1>Bug fixes</h1> <ul> <li>Fixed a ReDoS vulnerability (00c425ec).</li> </ul> <p>A specially crafted value of the <code>Sec-Websocket-Protocol</code> header could be used to significantly slow down a ws server.</p> <pre lang="js"><code>for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) { const value = 'b' + ' '.repeat(length) + 'x'; const start = process.hrtime.bigint(); <p>value.trim().split(/ *, */);</p> <p>const end = process.hrtime.bigint();</p> <p>console.log('length = %d, time = %f ns', length, end - start); } </code></pre></p> <p>The vulnerability was responsibly disclosed along with a fix in private by Robert McLaughlin from University of California, Santa Barbara.</p> <p>In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the <a href="https://nodejs.org/api/cli.html#cli_max_http_header_size_size"><code>--max-http-header-size=size</code></a> and/or the <a href="https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener"><code>maxHeaderSize</code></a> options.</p> <h2>7.4.5</h2> <h1>Bug fixes</h1> <ul> <li>UTF-8 validation is now done even if <code>utf-8-validate</code> is not installed (23ba6b29).</li> <li>Fixed an edge case where <code>websocket.close()</code> and <code>websocket.terminate()</code> did not close the connection (67e25ff5).</li> </ul> <h2>7.4.4</h2> <h1>Bug fixes</h1> <ul> <li>Fixed a bug that could cause the process to crash when using the permessage-deflate extension (92774377).</li> </ul> <h2>7.4.3</h2> <h1>Bug fixes</h1> <ul> <li>The deflate/inflate stream is now reset instead of reinitialized when context takeover is disabled (<a href="https://github-redirect.dependabot.com/websockets/ws/issues/1840">https://github.com/facebook/flipper/issues/1840</a>).</li> </ul> <h2>7.4.2</h2> <h1>Bug fixes</h1> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="f5297f7090"><code>f5297f7</code></a> [dist] 7.4.6</li> <li><a href="00c425ec77"><code>00c425e</code></a> [security] Fix ReDoS vulnerability</li> <li><a href="990306d144"><code>990306d</code></a> [lint] Fix prettier error</li> <li><a href="32e3a8439b"><code>32e3a84</code></a> [security] Remove reference to Node Security Project</li> <li><a href="8c914d18b8"><code>8c914d1</code></a> [minor] Fix nits</li> <li><a href="fc7e27d12a"><code>fc7e27d</code></a> [ci] Test on node 16</li> <li><a href="587c201bfc"><code>587c201</code></a> [ci] Do not test on node 15</li> <li><a href="f672710797"><code>f672710</code></a> [dist] 7.4.5</li> <li><a href="67e25ff502"><code>67e25ff</code></a> [fix] Fix case where <code>abortHandshake()</code> does not close the connection</li> <li><a href="23ba6b2922"><code>23ba6b2</code></a> [fix] Make UTF-8 validation work even if utf-8-validate is not installed</li> <li>Additional commits viewable in <a href="https://github.com/websockets/ws/compare/7.3.0...7.4.6">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `dependabot rebase` will rebase this PR - `dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `dependabot merge` will merge this PR after your CI passes on it - `dependabot squash and merge` will squash and merge this PR after your CI passes on it - `dependabot cancel merge` will cancel a previously requested merge and block automerging - `dependabot reopen` will reopen this PR if it is closed - `dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Pull Request resolved: https://github.com/facebook/flipper/pull/2371 Reviewed By: passy Differential Revision: D28714468 Pulled By: nikoant fbshipit-source-id: c2a3a7091599f29d453a35bf89bab4a03817509c
18 lines
358 B
JSON
18 lines
358 B
JSON
{
|
|
"name": "flipper-static",
|
|
"version": "0.0.0",
|
|
"main": "index.js",
|
|
"private": true,
|
|
"license": "MIT",
|
|
"dependencies": {
|
|
"electron-devtools-installer": "^3.1.1",
|
|
"fix-path": "^3.0.0",
|
|
"mac-ca": "^1.0.6",
|
|
"mkdirp": "^1.0.4",
|
|
"node-fetch": "^2.6.1",
|
|
"ws": "^7.4.6",
|
|
"xdg-basedir": "^4.0.0",
|
|
"yargs": "^16.2.0"
|
|
}
|
|
}
|