Skip to content

build(deps): bump ws from 8.20.0 to 8.20.1#2477

Merged
DevipriyaS17 merged 2 commits into
mainfrom
dependabot/npm_and_yarn/ws-8.20.1
May 14, 2026
Merged

build(deps): bump ws from 8.20.0 to 8.20.1#2477
DevipriyaS17 merged 2 commits into
mainfrom
dependabot/npm_and_yarn/ws-8.20.1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 13, 2026
edited
Loading

Bumps ws from 8.20.0 to 8.20.1.

Release notes

Sourced from ws's releases.

8.20.1

Bug fixes

  • Fixed an uninitialized memory disclosure issue in websocket.close() (c0327ec1).

Providing a TypedArray (e.g. Float32Array) as the reason argument for websocket.close(), rather than the supported string or Buffer types, caused uninitialized memory to be disclosed to the remote peer.

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer(
{ port: 0, skipUTF8Validation: true },
function () {
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port}, {
skipUTF8Validation: true
});
ws.on('close', function (code, reason) {
  deepStrictEqual(reason, Buffer.alloc(80));
});

}
);
wss.on('connection', function (ws) {
ws.close(1000, new Float32Array(20));
});

The issue was privately reported by Nikita Skovoroda.

Commits
  • 5d9b316 [dist] 8.20.1
  • c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
  • ce2a3d6 [ci] Test on node 26
  • 58e45b8 [ci] Do not test on node 25
  • 5f26c24 [ci] Run the lint step on node 24
  • See full diff in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels May 13, 2026
@dependabot
build(deps): bump ws from 8.20.0 to 8.20.1
1684a4f 
Bumps [ws](https://github.com/websockets/ws) from 8.20.0 to 8.20.1.
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.20.0...8.20.1)

---
updated-dependencies:
- dependency-name: ws
  dependency-version: 8.20.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/ws-8.20.1 branch from c78a633 to 1684a4f Compare May 14, 2026 05:15
@DevipriyaS17 DevipriyaS17 merged commit 92034f5 into main May 14, 2026
7 checks passed
@DevipriyaS17 DevipriyaS17 deleted the dependabot/npm_and_yarn/ws-8.20.1 branch May 14, 2026 05:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DevipriyaS17 DevipriyaS17 DevipriyaS17 approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@DevipriyaS17