Skip to content

chore: update dependency ws to ^8.21.1#11681

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/ws-8.x
Open

chore: update dependency ws to ^8.21.1#11681
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/ws-8.x

Conversation

@renovate

@renovate renovate Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
ws ^8.20.1^8.21.1 age adoption passing confidence

Release Notes

websockets/ws (ws)

v8.21.1

Compare Source

Bug fixes

  • Empty fragments are now counted toward the limit (a2f4e7c).
  • The default values of the maxBufferedChunks and maxFragments options have
    been reduced (f197ac6).

v8.21.0

Compare Source

Features
  • Introduced the maxBufferedChunks and maxFragments options (2b2abd4).
Bug fixes
  • Fixed a remote memory exhaustion DoS vulnerability (2b2abd4).

A high volume of tiny fragments and data chunks could be sent by a peer, using
modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';

const wss = new WebSocketServer({ port: 0 }, function () {
  const data = Buffer.alloc(1);
  const options = { fin: false };
  const { port } = wss.address();
  const ws = new WebSocket(`ws://localhost:${port}`);

  ws.on('open', function () {
    (function send() {
      ws.send(data, options, function (err) {
        if (err) return;
        send();
      });
    })();
  });

  ws.on('error', console.error);
  ws.on('close', function (code, reason) {
    console.log(`client close - code: ${code} reason: ${reason.toString()}`);
  });
});

wss.on('connection', function (ws) {
  ws.on('error', console.error);
  ws.on('close', function (code, reason) {
    console.log(`server close - code: ${code} reason: ${reason.toString()}`);
  });
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the
maxPayload option if possible.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from raymondfeng as a code owner July 15, 2026 04:11
@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Jul 15, 2026
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate Bot force-pushed the renovate/ws-8.x branch from ee2045d to e00a655 Compare July 15, 2026 06:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants