Skip to content

chore(deps): bump ws#1530

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-6aaed2ab8e
Open

chore(deps): bump ws#1530
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-6aaed2ab8e

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 15, 2026

Copy link
Copy Markdown
Contributor

Bumps ws to 8.21.1 and updates ancestor dependency . These dependencies need to be updated together.

Updates ws from 8.19.0 to 8.21.1

Release notes

Sourced from ws's releases.

8.21.1

Bug fixes

  • Empty fragments are now counted toward the limit (a2f4e7c0).
  • The default values of the maxBufferedChunks and maxFragments options have been reduced (f197ac65).

8.21.0

Features

  • Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

  • Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

... (truncated)

Commits
  • ae1de54 [dist] 8.21.1
  • 8e9511b [ci] Trust Coveralls Homebrew tap
  • f197ac6 [fix] Lower default values of maxBufferedChunks and maxFragments
  • 8df8265 [ci] Update actions/checkout action to v7
  • a2f4e7c [fix] Count empty fragments toward the limit (#2329)
  • e79f912 [pkg] Approve install scripts for bufferutil and utf-8-validate
  • 4ea355d [doc] Document 32-bit signed integer coercion for option values
  • 2120f4c [example] Remove uuid dependency
  • 4c534a6 [security] Add latest vulnerability to SECURITY.md
  • bca91ad [dist] 8.21.0
  • Additional commits viewable in compare view

Updates ws from 7.5.10 to 7.5.12

Release notes

Sourced from ws's releases.

8.21.1

Bug fixes

  • Empty fragments are now counted toward the limit (a2f4e7c0).
  • The default values of the maxBufferedChunks and maxFragments options have been reduced (f197ac65).

8.21.0

Features

  • Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

  • Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

... (truncated)

Commits
  • ae1de54 [dist] 8.21.1
  • 8e9511b [ci] Trust Coveralls Homebrew tap
  • f197ac6 [fix] Lower default values of maxBufferedChunks and maxFragments
  • 8df8265 [ci] Update actions/checkout action to v7
  • a2f4e7c [fix] Count empty fragments toward the limit (#2329)
  • e79f912 [pkg] Approve install scripts for bufferutil and utf-8-validate
  • 4ea355d [doc] Document 32-bit signed integer coercion for option values
  • 2120f4c [example] Remove uuid dependency
  • 4c534a6 [security] Add latest vulnerability to SECURITY.md
  • bca91ad [dist] 8.21.0
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 15, 2026

@danielpeintner danielpeintner left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI is green

Bumps [ws](https://github.com/websockets/ws) to 8.21.1 and updates ancestor dependency . These dependencies need to be updated together.


Updates `ws` from 8.19.0 to 8.21.1
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.19.0...8.21.1)

Updates `ws` from 7.5.10 to 7.5.12
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.19.0...8.21.1)

---
updated-dependencies:
- dependency-name: ws
  dependency-version: 7.5.12
  dependency-type: direct:production
- dependency-name: ws
  dependency-version: 8.21.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/multi-6aaed2ab8e branch from 3e47915 to 0614919 Compare July 16, 2026 12:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant