Skip to content

Releases: websockets/ws

7.5.2

04 Jul 05:32
@lpinca lpinca
7.5.2
0ad1f9d
Compare
Choose a tag to compare
7.5.2

Bug fixes

  • The opening handshake is now aborted if the client receives a
    Sec-WebSocket-Extensions header but no extension was requested or if the
    server indicates an extension not requested by the client (aca94c8).
Assets 2
Loading

7.5.1

29 Jun 05:17
@lpinca lpinca
7.5.1
38c6c73
Compare
Choose a tag to compare
7.5.1

Bug fixes

  • Fixed an issue that prevented the connection from being closed properly if an
    error occurred simultaneously on both peers (b434b9f).
Assets 2
Loading

7.5.0

16 Jun 13:15
@lpinca lpinca
7.5.0
e3f0c17
Compare
Choose a tag to compare
7.5.0

Features

  • Some errors now have a code property describing the specific type of error
    that has occurred (#1901).

Bug fixes

  • A close frame is now sent to the remote peer if an error (such as a data
    framing error) occurs (8806aa9).
  • The close code is now always 1006 if no close frame is received, even if the
    connection is closed due to an error (8806aa9).
Assets 2
Loading

5.2.3

08 Jun 19:26
@lpinca lpinca
5.2.3
6dd88e7
Compare
Choose a tag to compare
5.2.3

Bug fixes

Assets 2
Loading

6.2.2

07 Jun 11:23
@lpinca lpinca
6.2.2
9bdb580
Compare
Choose a tag to compare
6.2.2

Bug fixes

Assets 2
Loading

7.4.6

25 May 16:28
@lpinca lpinca
7.4.6
f5297f7
Compare
Choose a tag to compare
7.4.6

Bug fixes

  • Fixed a ReDoS vulnerability (00c425e).

A specially crafted value of the Sec-Websocket-Protocol header could be used
to significantly slow down a ws server.

for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
  const value = 'b' + ' '.repeat(length) + 'x';
  const start = process.hrtime.bigint();

  value.trim().split(/ *, */);

  const end = process.hrtime.bigint();

  console.log('length = %d, time = %f ns', length, end - start);
}

The vulnerability was responsibly disclosed along with a fix in private by
Robert McLaughlin from University of California, Santa Barbara.

In vulnerable versions of ws, the issue can be mitigated by reducing the maximum
allowed length of the request headers using the --max-http-header-size=size
and/or the maxHeaderSize options.

Assets 2
Loading

7.4.5

18 Apr 08:21
@lpinca lpinca
7.4.5
f672710
Compare
Choose a tag to compare
7.4.5

Bug fixes

  • UTF-8 validation is now done even if utf-8-validate is not installed
    (23ba6b2).
  • Fixed an edge case where websocket.close() and websocket.terminate() did
    not close the connection (67e25ff).
Assets 2
Loading

7.4.4

06 Mar 20:45
@lpinca lpinca
7.4.4
a74dd2e
Compare
Choose a tag to compare
7.4.4

Bug fixes

  • Fixed a bug that could cause the process to crash when using the
    permessage-deflate extension (9277437).
Assets 2
Loading

7.4.3

02 Feb 19:18
@lpinca lpinca
7.4.3
223194e
Compare
Choose a tag to compare
7.4.3

Bug fixes

  • The deflate/inflate stream is now reset instead of reinitialized when context
    takeover is disabled (#1840).
Assets 2
Loading

7.4.2

29 Dec 20:18
@lpinca lpinca
7.4.2
d1a8af4
Compare
Choose a tag to compare
7.4.2

Bug fixes

  • Silenced a deprecation warning (a2c0d44).
Assets 2
Loading