Skip to content

meta: bump ws from 8.18.0 to 8.20.1 (via audit fix)#8905

Open
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/npm_and_yarn/ws-8.20.1
Open

meta: bump ws from 8.18.0 to 8.20.1 (via audit fix)#8905
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/npm_and_yarn/ws-8.20.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 18, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps ws from 8.18.0 to 8.20.1.

Release notes

Sourced from ws's releases.

8.20.1

Bug fixes

  • Fixed an uninitialized memory disclosure issue in websocket.close() (c0327ec1).

Providing a TypedArray (e.g. Float32Array) as the reason argument for websocket.close(), rather than the supported string or Buffer types, caused uninitialized memory to be disclosed to the remote peer.

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer(
{ port: 0, skipUTF8Validation: true },
function () {
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port}, {
skipUTF8Validation: true
});
ws.on('close', function (code, reason) {
  deepStrictEqual(reason, Buffer.alloc(80));
});

}
);
wss.on('connection', function (ws) {
ws.close(1000, new Float32Array(20));
});

The issue was privately reported by Nikita Skovoroda.

8.20.0

Features

  • Added exports for the PerMessageDeflate class and utilities for the Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1f).

8.19.0

Features

  • Added the closeTimeout option (#2308).

Bug fixes

  • Handled a forthcoming breaking change in Node.js core (19984854).

... (truncated)

Commits
  • 5d9b316 [dist] 8.20.1
  • c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
  • ce2a3d6 [ci] Test on node 26
  • 58e45b8 [ci] Do not test on node 25
  • 5f26c24 [ci] Run the lint step on node 24
  • 8439255 [dist] 8.20.0
  • d3503c1 [minor] Export the PerMessageDeflate class and header utils
  • 3ee5349 [api] Convert the isServer and maxPayload parameters to options
  • 91707b4 [doc] Add missing space
  • 8b55319 [pkg] Update eslint to version 10.0.1
  • Additional commits viewable in compare view

@dependabot dependabot Bot added auto-merge Ready to automatically merge after being open for 48 hours dependencies Pull requests that update a dependency file github_actions:pull-request Trigger Pull Request Checks labels May 18, 2026
@dependabot dependabot Bot requested a review from a team as a code owner May 18, 2026 22:30
@dependabot dependabot Bot added javascript Pull requests that update javascript code github_actions:pull-request Trigger Pull Request Checks dependencies Pull requests that update a dependency file auto-merge Ready to automatically merge after being open for 48 hours labels May 18, 2026
@vercel

vercel Bot commented May 18, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
nodejs-org Error Error May 20, 2026 1:54pm

Request Review

@github-actions github-actions Bot removed the github_actions:pull-request Trigger Pull Request Checks label May 18, 2026
@codecov

codecov Bot commented May 18, 2026

Copy link
Copy Markdown

⚠️ JUnit XML file not found

The CLI was unable to find any JUnit XML files to upload.
For more help, visit our troubleshooting guide.

@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/ws-8.20.1 branch from 44d9be2 to 13176ba Compare May 19, 2026 14:28
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/ws-8.20.1 branch from 13176ba to 7c67177 Compare May 19, 2026 14:34
@dependabot
meta: bump ws from 8.18.0 to 8.20.1 (via audit fix)
633ea21 
Bumps [ws](https://github.com/websockets/ws) from 8.18.0 to 8.20.1.
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.18.0...8.20.1)

---
updated-dependencies:
- dependency-name: ws
  dependency-version: 8.20.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/ws-8.20.1 branch from 7c67177 to 633ea21 Compare May 19, 2026 14:49
@bmuenzenmeyer bmuenzenmeyer self-requested a review May 20, 2026 13:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bmuenzenmeyer bmuenzenmeyer Awaiting requested review from bmuenzenmeyer

Assignees

No one assigned

Labels

auto-merge Ready to automatically merge after being open for 48 hours dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bmuenzenmeyer