Update dependency ws to v8.21.0 by ivan-flamingo · Pull Request #32 · flamingo-stack/meshcentral · GitHub
Skip to content

Update dependency ws to v8.21.0#32

Open
ivan-flamingo wants to merge 1 commit into
masterfrom
renovate/ws-8.x
Open

Update dependency ws to v8.21.0#32
ivan-flamingo wants to merge 1 commit into
masterfrom
renovate/ws-8.x

Conversation

@ivan-flamingo

@ivan-flamingo ivan-flamingo commented Jun 9, 2026

Copy link
Copy Markdown

This PR contains the following updates:

Package Type Update Change
ws dependencies minor 8.18.38.21.0

Release Notes

websockets/ws (ws)

v8.21.0

Compare Source

Features

  • Introduced the maxBufferedChunks and maxFragments options (2b2abd4).

Bug fixes

  • Fixed a remote memory exhaustion DoS vulnerability (2b2abd4).

A high volume of tiny fragments and data chunks could be sent by a peer, using
modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';

const wss = new WebSocketServer({ port: 0 }, function () {
  const data = Buffer.alloc(1);
  const options = { fin: false };
  const { port } = wss.address();
  const ws = new WebSocket(`ws://localhost:${port}`);

  ws.on('open', function () {
    (function send() {
      ws.send(data, options, function (err) {
        if (err) return;
        send();
      });
    })();
  });

  ws.on('error', console.error);
  ws.on('close', function (code, reason) {
    console.log(`client close - code: ${code} reason: ${reason.toString()}`);
  });
});

wss.on('connection', function (ws) {
  ws.on('error', console.error);
  ws.on('close', function (code, reason) {
    console.log(`server close - code: ${code} reason: ${reason.toString()}`);
  });
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the
maxPayload option if possible.

v8.20.1

Compare Source

Bug fixes

  • Fixed an uninitialized memory disclosure issue in websocket.close()
    (c0327ec).

Providing a TypedArray (e.g. Float32Array) as the reason argument for
websocket.close(), rather than the supported string or Buffer types, caused
uninitialized memory to be disclosed to the remote peer.

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';

const wss = new WebSocketServer(
  { port: 0, skipUTF8Validation: true },
  function () {
    const { port } = wss.address();
    const ws = new WebSocket(`ws://localhost:${port}`, {
      skipUTF8Validation: true
    });

    ws.on('close', function (code, reason) {
      deepStrictEqual(reason, Buffer.alloc(80));
    });
  }
);

wss.on('connection', function (ws) {
  ws.close(1000, new Float32Array(20));
});

The issue was privately reported by Nikita Skovoroda.

v8.20.0

Compare Source

Features

  • Added exports for the PerMessageDeflate class and utilities for the
    Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1).

v8.19.0

Compare Source

Features

  • Added the closeTimeout option (#​2308).

Bug fixes

  • Handled a forthcoming breaking change in Node.js core (1998485).

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@coderabbitai

coderabbitai Bot commented Jun 9, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@ivan-flamingo, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 49 minutes and 41 seconds. Learn how PR review limits work.

To continue reviewing without waiting, enable usage-based billing in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 7c8eecd0-b532-4e87-853c-7b60f75bc88e

📥 Commits

Reviewing files that changed from the base of the PR and between 71eb96e and 9fc39a7.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (1)
  • package.json
📝 Walkthrough

Walkthrough

The pull request updates the WebSocket (ws) dependency in package.json from version 8.18.3 to 8.21.0, bringing in a minor version bump with two releases worth of updates.

Changes

Dependency Updates

Layer / File(s) Summary
WebSocket library upgrade
package.json
The ws dependency version is bumped from 8.18.3 to 8.21.0.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A websocket hops forward in time,
From 8-18 to 21, oh so prime!
Tiny dependencies, oh how they grow,
Stability and speed in each version's flow! 🚀

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely summarizes the main change: updating the ws dependency to v8.21.0, which matches the package.json modification.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch renovate/ws-8.x

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@ivan-flamingo ivan-flamingo force-pushed the renovate/ws-8.x branch 2 times, most recently from 13d058a to bced2bb Compare June 17, 2026 11:24
@ivan-flamingo ivan-flamingo force-pushed the renovate/ws-8.x branch 2 times, most recently from 408f80a to 1c4aeef Compare June 24, 2026 19:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants