[dist] Update dependency ws to v7 - autoclosed (!1371) · Merge requests · http ... PARTY! / node-http-proxy

Closed Administrator requested to merge renovate/ws-7.x into master Aug 22, 2019

Created by: renovate[bot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
ws	`^3.0.0` -> `^7.0.0`

Release Notes

websockets/ws

`v7.5.0`

Compare Source

Features

Some errors now have a code property describing the specific type of error that has occurred (#1901).

Bug fixes

A close frame is now sent to the remote peer if an error (such as a data framing error) occurs (8806aa9).
The close code is now always 1006 if no close frame is received, even if the connection is closed due to an error (8806aa9).

`v7.4.6`

Compare Source

Bug fixes

Fixed a ReDoS vulnerability (00c425e).

A specially crafted value of the Sec-Websocket-Protocol header could be used to significantly slow down a ws server.

for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
  const value = 'b' + ' '.repeat(length) + 'x';
  const start = process.hrtime.bigint();

  value.trim().split(/ *, */);

  const end = process.hrtime.bigint();

  console.log('length = %d, time = %f ns', length, end - start);
}

The vulnerability was responsibly disclosed along with a fix in private by Robert McLaughlin from University of California, Santa Barbara.

In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

`v7.4.5`

Compare Source

Bug fixes

UTF-8 validation is now done even if utf-8-validate is not installed (23ba6b2).
Fixed an edge case where websocket.close() and websocket.terminate() did not close the connection (67e25ff).

`v7.4.4`

Compare Source

Bug fixes

Fixed a bug that could cause the process to crash when using the permessage-deflate extension (9277437).

`v7.4.3`

Compare Source

Bug fixes

The deflate/inflate stream is now reset instead of reinitialized when context takeover is disabled (#1840).

`v7.4.2`

Compare Source

Bug fixes

Silenced a deprecation warning (a2c0d44).

`v7.4.1`

Compare Source

Bug fixes

Added a workaround for a double 'error' event bug in Node.js < 13 which caused an uncaught error during the WebSocket handshake (38d6ab3).

`v7.4.0`

Compare Source

Features

The callback of WebSocketServer.prototype.handleUpgrade() now takes the client HTTP GET request as second argument (7d39f19).

Bug fixes

Read-only properties are now read-only (eabed8f).
The CONNECTING, OPEN, CLOSING, CLOSED, binaryType, bufferedAmount, extensions, onclose, onerror, onmessage, onopen, protocol, readyState, and url properties are now enumerable (2069e68).

`v7.3.1`

Compare Source

Bug fixes

Improved websocket.bufferedAmount accuracy (e1349c0, a162942).

`v7.3.0`

Compare Source

Features

WebSocket.prototype.addEventListener() now supports the once option (#1754).

`v7.2.5`

Compare Source

Bug fixes

Fixed compatibility with Node.js master (651d662).

`v7.2.3`

Compare Source

Bug fixes

WebSocket#{p{i,o}ng,close}() now thow an error if the data to send is too large to fit in a control frame (e54f08d).

`v7.2.2`

Compare Source

Bug fixes

Fixed an issue where calling webSocketStream.end() could cause the process to crash (9535702).
The connection is now closed if a non-masked frame is received on the server or a masked frame is received on the client (#1681).
The status code 1014 is now allowed to be used (#1682).

`v7.2.1`

Compare Source

Bug fixes

Added bufferutil and utf-8-validate as peer dependencies (#1626).

`v7.2.0`

Compare Source

Features

Added ability to specify the readableObjectMode option when using WebSocket.createWebSocketStream() (#1647).

`v7.1.2`

Compare Source

Bug fixes

Fixed a bug that caused compress jobs to never be marked as complete (#1618).

`v7.1.1`

Compare Source

Bug fixes

An error is now thrown if the WebSocket server constructor is used incorrectly (3641266).

`v7.1.0`

Compare Source

Features

Added utility to wrap a WebSocket in a Duplex stream (#1589).

Bug fixes

Reverted "[minor] Remove unneeded if statement" (dbacf58, #1591).

`v7.0.1`

Compare Source

Bug fixes

Added ability to disable sending the SNI extension (#1587).

`v7.0.0`

Compare Source

Breaking changes

Dropped support for Node.js 6 (1e6999b).
Dropped support for url.Url instances in the WebSocket constructor (692d7b4).
The behavior of WebSocket#{p{i,o}ng,send}() has changed when the readyState attribute is not OPEN (#1532)
- If the readyState attribute is CONNECTING, an exception is thrown.
- If the readyState attribute is CLOSING or CLOSED
  - The bufferedAmount attribute is increased by the length of the data argument in bytes.
  - If provided, the callback function is called with an error.
  - No exception is thrown even if the callback function is not provided.

`v6.2.2`

Compare Source

Bug fixes

Backported 00c425e to the 6.x release line (78c676d).

`v6.2.1`

Compare Source

Bug fixes

Fixed a bug that, under certain circumstances, prevented the close timer from being set (aa1dcd5).

`v6.2.0`

Compare Source

Features

Added ability to follow redirects (#1490).

Bug fixes

The opening handshake is now aborted if the Sec-WebSocket-Key header field value is invalid (160af45).

`v6.1.4`

Compare Source

Bug fixes

Fixed an issue that caused the Host header to always include a port (#1510).

`v6.1.3`

Compare Source

Bug fixes

Fixed a bug that, under certain circumstances, prevented the close frame from being parsed (#1494).

`v6.1.2`

Compare Source

Bug fixes

Restored compatibility with Node.js < 6.13.0 (26436e0).

`v6.1.1`

Compare Source

Bug fixes

Queued messages to send are now discarded if the permessage-deflate is enabled and the socket closes prematurely (#1464, #1471).

`v6.1.0`

Compare Source

Features

The WebSocket server now emits a 'close' event when the server closes (#1453).

`v6.0.0`

Compare Source

Breaking changes

Dropped support for Node.js 4 (d73885c).
Added a shim that throws an error when used if the package is bundled for the browser (#1345).
Added a maxPayload option on the client. Defaults to 100 MiB (#1402).
Dropped support for the memLevel and level options. Use zlibDeflateOptions instead. (80e2002).

`v5.2.3`

Compare Source

Bug fixes

Backported 00c425e to the 5.x release line (76d47c1).

`v5.2.2`

Compare Source

Bug fixes

Fixed a use after invalidation bug introduced in 6046a28 (8aba871).

`v5.2.1`

Compare Source

Bug fixes

Fixed a bug that could prevent buffered data from being processed under certain circumstances (6046a28).

`v5.2.0`

Compare Source

Features

Added ability to specify custom headers when rejecting the handshake (#1379).

`v5.1.1`

Compare Source

Bug fixes

Fixed a regression introduced in 9e152f9 (#1347).

`v5.1.0`

Compare Source

Features

The address argument of the WebSocket constructor can now be a [URL][URL] instance (#1329).
The options argument of the WebSocket constructor now accepts any TLS option that is also accepted by [https.request()][https.request()] (#1332).

`v5.0.0`

Compare Source

Breaking changes

Dropped support for Node.js < 4.5.0 (#1313).
The connection is no longer closed if the server does not agree to any of the client's requested subprotocols (#1312).
net.Socket errors are no longer re-emitted (a4050db).

Features

Read backpressure is now properly handled when permessage-deflate is enabled (#1302).

`v4.1.0`

Compare Source

Features

Added WebSocketServer.prototype.address() (#1294).
Added zlib{Deflate,Inflate}Options options (#1306).

`v4.0.0`

Compare Source

Breaking changes

The close status code is now set to 1005 if the received close frame contains no status code (a31b1f6).
Error messages and types have been updated (695c5ea).
The onerror event handler now receives an ErrorEvent instead of JavaScript error (63e275e).
The third argument of WebSocket.prototype.ping() and WebSocket.prototype.pong() is no longer a boolean but an optional callback (30c9f71).
The non-standard protocolVersion and bytesReceived attributes have been removed (30c9f71...ee9b5f3).
The extensions attribute is no longer an object but a string representing the extensions selected by the server (fdec524).
The 'headers' event on the client has been renamed to 'upgrade'. Listeners of this event now receive only the response argument (1c783c2).
The WebSocket.prototype.pause() and WebSocket.prototype.resume() methods have been removed to prevent the user from interfering with the state of the underlying net.Socket stream (a206e98).

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box.

This PR has been generated by WhiteSource Renovate. View repository job log here.