The Wayback Machine - https://web.archive.org/web/20250519141221/https://github.com/dotnet/aspnetcore/pull/33136
Skip to content

Bump ws from 7.4.5 to 7.4.6 in /src/SignalR/clients/ts/signalr #33136

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
1 commit merged into from
Jun 1, 2021
Merged

Bump ws from 7.4.5 to 7.4.6 in /src/SignalR/clients/ts/signalr #33136

1 commit merged into from
Jun 1, 2021

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github May 29, 2021

Bumps ws from 7.4.5 to 7.4.6.

Release notes

Sourced from ws's releases.

7.4.6

Bug fixes

  • Fixed a ReDoS vulnerability (00c425ec).

A specially crafted value of the Sec-Websocket-Protocol header could be used to significantly slow down a ws server.

for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
  const value = 'b' + ' '.repeat(length) + 'x';
  const start = process.hrtime.bigint();
value.trim().split(/ *, */);
const end = process.hrtime.bigint();
console.log('length = %d, time = %f ns', length, end - start);
}

The vulnerability was responsibly disclosed along with a fix in private by Robert McLaughlin from University of California, Santa Barbara.

In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot dependabot bot added javascript Pull requests that update Javascript code Type: Dependency Update 🔼 labels May 29, 2021
@ghost ghost added the area-signalr Includes: SignalR clients and servers label May 29, 2021
dougbu
dougbu reviewed Jun 1, 2021
View reviewed changes
Copy link
Contributor

@dougbu dougbu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@BrennanConroy @halter73 any reason not to take this fix❔ PR is ostensibly green though it's possible the quarantined-pr pipeline caught something important.

@dougbu
Copy link
Contributor

dougbu commented Jun 1, 2021

though it's possible the quarantined-pr pipeline caught something important.

Nah, just another reliability issue in the WASM build.

@ghost
Copy link

ghost commented Jun 1, 2021

Hello @halter73!

Because this pull request has the auto-merge label, I will be glad to assist with helping to merge this pull request once all check-in policies pass.

p.s. you can customize the way I help with merging this pull request, such as holding this pull request until a specific person approves. Simply @mention me (@msftbot) and give me an instruction to get started! Learn more here.

@halter73
Copy link
Member

halter73 commented Jun 1, 2021

/azp run

@ghost ghost merged commit df47cc7 into main Jun 1, 2021
@ghost ghost deleted the dependabot/npm_and_yarn/src/SignalR/clients/ts/signalr/ws-7.4.6 branch June 1, 2021 20:27
@azure-pipelines
Copy link

Pipelines were unable to run due to time out waiting for the pull request to finish merging.

@ghost
Copy link

ghost commented Jun 1, 2021

Hi @azure-pipelines[bot]. It looks like you just commented on a closed PR. The team will most probably miss it. If you'd like to bring something important up to their attention, consider filing a new issue and add enough details to build context.

@dougbu dougbu mentioned this pull request Jun 3, 2021
Merged
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dougbu dougbu dougbu left review comments

@halter73 halter73 halter73 approved these changes

@BrennanConroy BrennanConroy Awaiting requested review from BrennanConroy BrennanConroy is a code owner

Assignees
No one assigned
Labels
area-signalr Includes: SignalR clients and servers javascript Pull requests that update Javascript code Type: Dependency Update 🔼
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dougbu @halter73