[Snyk] Upgrade ws from 7.2.0 to 8.13.0

[naiba4]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade ws from 7.2.0 to 8.13.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

Warning: This is a major version upgrade, and may be a breaking change.

• The recommended version is 44 versions ahead of your current version.
• The recommended version was released 6 months ago, on 2023-03-10.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	83/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00116, Social Trends: No, Days since published: 827, Transitive dependency: No, Is Malicious: No, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 3.52, Score Version: V4	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: ws

• 8.13.0 - 2023-03-10
  

  Features

  • Added the finishRequest option to support late addition of headers (#2123).
• 8.12.1 - 2023-02-13
  

  Bug fixes

  • Added browser condition to package.json (#2118).
• 8.12.0 - 2023-01-07
  

  Features

  • Added support for utf-8-validate@6 (ff63bba).

  Other notable changes

  • buffer.isUtf8() is now used instead of utf-8-validate if available
    (42d79f6).
• 8.11.0 - 2022-11-06
  

  Features

  • WebSocket.prototype.addEventListener() now supports an event listener
    specified as an object with a handleEvent() method. (9ab743a).

  Bug fixes

  • WebSocket.prototype.addEventListener() now adds an event listener only if it
    is not already in the list of the event listeners for the specified event type
    (1cec17d).
• 8.10.0 - 2022-10-24
  

  Features

  • Added an export for package.json (211d5d3).
• 8.9.0 - 2022-09-22
  

  Features

  • Added the ability to connect to Windows named pipes (#2079).
• 8.8.1 - 2022-07-15
  

  Bug fixes

  • The Authorization and Cookie headers are no longer sent if the original
    request for the opening handshake is sent to an IPC server and the client is
    redirected to another IPC server (bc8bd34).
• 8.8.0 - 2022-06-09
  

  Features

  • Added the WS_NO_BUFFER_UTIL and WS_NO_UTF_8_VALIDATE environment
    variables (becf237).
• 8.7.0 - 2022-05-26
  

  Features

  • Added the ability to inspect the invalid handshake requests and respond to
    them with a custom HTTP response. (6e5a5ce).

  Bug fixes

  • The handshake is now aborted if the Upgrade header field value in the HTTP
    response is not a case-insensitive match for the value "websocket" (0fdcc0a).
  • The Authorization and Cookie headers are no longer sent when following an
    insecure redirect (wss: to ws:) to the same host (d68ba9e).
• 8.6.0 - 2022-05-01
• 8.5.0 - 2022-02-07
• 8.4.2 - 2022-01-14
• 8.4.1 - 2022-01-13
• 8.4.0 - 2021-12-20
• 8.3.0 - 2021-11-23
• 8.2.3 - 2021-10-02
• 8.2.2 - 2021-09-08
• 8.2.1 - 2021-08-28
• 8.2.0 - 2021-08-18
• 8.1.0 - 2021-08-11
• 8.0.0 - 2021-07-28
• 7.5.9 - 2022-07-15
  

  Bug fixes

  • Backported bc8bd34 to the 7.x release line (0435e6e).
• 7.5.8 - 2022-05-26
• 7.5.7 - 2022-02-07
• 7.5.6 - 2021-11-23
• 7.5.5 - 2021-09-08
• 7.5.4 - 2021-08-28
• 7.5.3 - 2021-07-10
• 7.5.2 - 2021-07-04
• 7.5.1 - 2021-06-29
• 7.5.0 - 2021-06-16
• 7.4.6 - 2021-05-25
• 7.4.5 - 2021-04-18
• 7.4.4 - 2021-03-06
• 7.4.3 - 2021-02-02
• 7.4.2 - 2020-12-29
• 7.4.1 - 2020-12-04
• 7.4.0 - 2020-11-08
• 7.3.1 - 2020-07-05
• 7.3.0 - 2020-05-10
• 7.2.5 - 2020-04-25
• 7.2.3 - 2020-03-09
• 7.2.2 - 2020-03-08
• 7.2.1 - 2019-12-14
• 7.2.0 - 2019-10-19

from ws GitHub release notes

Commit messages

Package name: ws

• 45e17ac [pkg] 8.13.0
• 23acf8c [test] Fix nits
• cd89e07 [feature] Add option to support late addition of headers (Fix bug in _apply_error EOSIO/eos#2123)
• b4b9d5a [test] Fix failing test when using the domain module (Changes to transaction receipt and transaction_mroot EOSIO/eos#2126)
• 41dc56a [doc] Remove misleading information
• a04578e [dist] 8.12.1
• 0d114ef [pkg] Add browser condition (Serialization performance investigation/improvement EOSIO/eos#2118)
• 2862c2f [doc] Add error handlers to examples and code snippets
• a3214d3 [dist] 8.12.0
• 42d79f6 [minor] Use `buffer.isUtf8()` if possible
• ff63bba [pkg] Update utf-8-validate to version 6.0.0
• d412358 [minor] Fix nits
• 2dc2812 [minor] Make `sendAfterClose()` call the callback in the next tick
• fb1dfd2 [doc] Fix badge URL
• 83c72cf [perf] Make `toBuffer()` use `FastBuffer`
• 1b057f9 [minor] Fix nit
• e6a32f8 [perf] Use `FastBuffer` instead of `Buffer#subarray()`
• 9e0fd77 [minor] Use `Buffer#subarray()` instead of `Buffer#slice()`
• a6fa37a [license] Update copyright notice
• 8a8fc88 [minor] Validate the payload length of the close frame sooner
• ea76193 [doc] Improve doc for the `callback` argument of `WebSocketServer`
• afd8c62 [dist] 8.11.0
• 1cec17d [fix] Add the same event listener only once
• 9ab743a [feature] Add support for objets with a `handleEvent()` method

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[socket-security]

Updated dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
ws	7.2.0...8.13.0	network, environment	+0/-1	137 kB	lpinca

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Issue	Package	Version	Note	Source
Environment variable access	ws	8.13.0	Env Vars: Location: lib/buffer-util.js +3 more instances...	package.json

Next steps

What is environment variable access?

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore [email protected] bar@* or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore [email protected]