Skip to content

chore(deps-dev): bump the dev-dependencies group across 1 directory with 2 updates#13

Closed
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/npm_and_yarn/dev-dependencies-9d51c8cf6b
Closed

chore(deps-dev): bump the dev-dependencies group across 1 directory with 2 updates#13
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/npm_and_yarn/dev-dependencies-9d51c8cf6b

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 27, 2026

Copy link
Copy Markdown

Bumps the dev-dependencies group with 2 updates in the / directory: @types/node and ws.

Updates @types/node from 25.2.1 to 25.9.1

Commits

Updates ws from 8.19.0 to 8.21.0

Release notes

Sourced from ws's releases.

8.21.0

Features

  • Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

  • Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

8.20.1

... (truncated)

Commits
  • bca91ad [dist] 8.21.0
  • 2b2abd4 [security] Limit retained message parts
  • 78eabe2 [security] Add latest vulnerability to SECURITY.md
  • 5d9b316 [dist] 8.20.1
  • c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
  • ce2a3d6 [ci] Test on node 26
  • 58e45b8 [ci] Do not test on node 25
  • 5f26c24 [ci] Run the lint step on node 24
  • 8439255 [dist] 8.20.0
  • d3503c1 [minor] Export the PerMessageDeflate class and header utils
  • Additional commits viewable in compare view

@dependabot @github

dependabot Bot commented on behalf of github May 27, 2026

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot changed the title chore(deps-dev): bump the dev-dependencies group with 2 updates chore(deps-dev): bump the dev-dependencies group across 1 directory with 2 updates May 28, 2026
@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/dev-dependencies-9d51c8cf6b branch 2 times, most recently from 6263d49 to 2c9f93f Compare June 2, 2026 10:29
safenestdev and others added 2 commits June 3, 2026 09:43
Resolves Dependabot alert #6 (GHSA-5xrq-8626-4rwp / CVE-2026-47429,
vitest UI arbitrary file read). Practical exposure here is nil since
this repo only runs `vitest run` headlessly, but moving to 4.x clears
the alert and stays current.

vitest 4 requires Node ^20 || ^22 || >=24, so the CI test matrix drops
18.x and adds 24.x. `engines.node` stays at >=18 — the SDK runtime
itself doesn't need 20+, only the test toolchain does.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
…ith 2 updates

Bumps the dev-dependencies group with 2 updates in the / directory: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) and [ws](https://github.com/websockets/ws).


Updates `@types/node` from 25.2.1 to 25.9.1
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `ws` from 8.19.0 to 8.21.0
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.19.0...8.21.0)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 25.9.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dev-dependencies
- dependency-name: ws
  dependency-version: 8.21.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dev-dependencies
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/dev-dependencies-9d51c8cf6b branch from 2c9f93f to 1834e72 Compare June 3, 2026 08:04
@safenestdev

Copy link
Copy Markdown
Contributor

Superseded by 460e721 on main: @types/node ^25.9.1 and ws ^8.21.0. The ws bump also clears the moderate audit advisory GHSA-58qx-3vcg-4xpx.

@safenestdev safenestdev closed this Jun 3, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 3, 2026

Copy link
Copy Markdown
Author

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot
dependabot Bot deleted the dependabot/npm_and_yarn/dev-dependencies-9d51c8cf6b branch June 3, 2026 09:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant