Skip to content

build(deps): bump ws from 8.18.0 to 8.20.1#25

Open
dependabot[bot] wants to merge 2 commits into
devfrom
dependabot/npm_and_yarn/ws-8.20.1
Open

build(deps): bump ws from 8.18.0 to 8.20.1#25
dependabot[bot] wants to merge 2 commits into
devfrom
dependabot/npm_and_yarn/ws-8.20.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 20, 2026
edited
Loading

Copy link
Copy Markdown

Bumps ws from 8.18.0 to 8.20.1.

Release notes

Sourced from ws's releases.

8.20.1

Bug fixes

  • Fixed an uninitialized memory disclosure issue in websocket.close() (c0327ec1).

Providing a TypedArray (e.g. Float32Array) as the reason argument for websocket.close(), rather than the supported string or Buffer types, caused uninitialized memory to be disclosed to the remote peer.

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer(
{ port: 0, skipUTF8Validation: true },
function () {
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port}, {
skipUTF8Validation: true
});
ws.on('close', function (code, reason) {
  deepStrictEqual(reason, Buffer.alloc(80));
});

}
);
wss.on('connection', function (ws) {
ws.close(1000, new Float32Array(20));
});

The issue was privately reported by Nikita Skovoroda.

8.20.0

Features

  • Added exports for the PerMessageDeflate class and utilities for the Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1f).

8.19.0

Features

  • Added the closeTimeout option (#2308).

Bug fixes

  • Handled a forthcoming breaking change in Node.js core (19984854).

... (truncated)

Commits
  • 5d9b316 [dist] 8.20.1
  • c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
  • ce2a3d6 [ci] Test on node 26
  • 58e45b8 [ci] Do not test on node 25
  • 5f26c24 [ci] Run the lint step on node 24
  • 8439255 [dist] 8.20.0
  • d3503c1 [minor] Export the PerMessageDeflate class and header utils
  • 3ee5349 [api] Convert the isServer and maxPayload parameters to options
  • 91707b4 [doc] Add missing space
  • 8b55319 [pkg] Update eslint to version 10.0.1
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 20, 2026
@CLAassistant

CLAassistant commented May 20, 2026

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@dependabot dependabot Bot changed the title chore(deps): bump ws from 8.18.0 to 8.20.1 build(deps): bump ws from 8.18.0 to 8.20.1 May 27, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/ws-8.20.1 branch 2 times, most recently from 0f38db8 to f4eaf2d Compare May 27, 2026 09:33
dinex-dev and others added 2 commits June 8, 2026 17:32
@dinex-dev
chore(dev): point workflow at dev repo's MAC_CERTS + allow dispatch f…
4fa8168 
…rom dev branch

Two minimal edits on the prod workflow we just synced over:

1. mac_certs / mac_certs_password now read from secrets.MAC_CERTS /
   MAC_CERTS_PASSWORD (the dev repo's known-good pair, last refreshed
   2025-12-07) instead of secrets.bstack_mac_certs / bstack_mac_certs_password
   (which only exist on prod, and the prod copies are the broken pair that
   produced the MAC verification / notarize failures we're debugging).

2. Branch guard now also allows refs/heads/dev so workflow_dispatch from
   the dev branch actually fires steps instead of skipping silently.

This is a dev-only adjustment — the prod workflow stays as-is. Iteration
playground only; do not merge upstream.
@dependabot
build(deps): bump ws from 8.18.0 to 8.20.1
fbe0ad6 
Bumps [ws](https://github.com/websockets/ws) from 8.18.0 to 8.20.1.
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.18.0...8.20.1)

---
updated-dependencies:
- dependency-name: ws
  dependency-version: 8.20.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/ws-8.20.1 branch from f4eaf2d to fbe0ad6 Compare June 8, 2026 12:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@CLAassistant @dinex-dev