-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency ws to v8.17.1 [security] #4998
Conversation
|
🐋 This PR was built and pushed to the following Docker images (tag: Docker Bake metadata{
"app": {
"buildx.build.ref": "builder-2a188a89-c483-4f11-bd5d-78dc0dfbaa37/builder-2a188a89-c483-4f11-bd5d-78dc0dfbaa370/j1bhsza767czs1zxms01l9cyz",
"containerimage.descriptor": {
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"digest": "sha256:b2412b5435cf9e378bd0cf6122c298487dc9ddbf41823a485d946a058f475cdd",
"size": 685
},
"containerimage.digest": "sha256:b2412b5435cf9e378bd0cf6122c298487dc9ddbf41823a485d946a058f475cdd",
"image.name": "ghcr.io/kamilkisiela/graphql-hive/app:3c2cb1d841a85e88fe85420bb2942ef27d2c2da6,ghcr.io/kamilkisiela/graphql-hive/app:renovate_npm_ws_vulnerability"
},
"composition-federation-2": {
"buildx.build.ref": "builder-2a188a89-c483-4f11-bd5d-78dc0dfbaa37/builder-2a188a89-c483-4f11-bd5d-78dc0dfbaa370/stfogji3ex8hw23abdydxmt6x",
"containerimage.descriptor": {
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"digest": "sha256:f3aa74a513becd849c28481d6eb38a4b11988520f3176e1bc19336cbf7e4262c",
"size": 685
},
"containerimage.digest": "sha256:f3aa74a513becd849c28481d6eb38a4b11988520f3176e1bc19336cbf7e4262c",
"image.name": "ghcr.io/kamilkisiela/graphql-hive/composition-federation-2:3c2cb1d841a85e88fe85420bb2942ef27d2c2da6,ghcr.io/kamilkisiela/graphql-hive/composition-federation-2:renovate_npm_ws_vulnerability"
},
"emails": {
"buildx.build.ref": "builder-2a188a89-c483-4f11-bd5d-78dc0dfbaa37/builder-2a188a89-c483-4f11-bd5d-78dc0dfbaa370/nopmor3b83ft3wr6jxxeib19v",
"containerimage.descriptor": {
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"digest": "sha256:ffe3d6b71e57f08ec4b8dc492593a1fbe7167df59f5bb6993fd474252f67b9f0",
"size": 685
},
"containerimage.digest": "sha256:ffe3d6b71e57f08ec4b8dc492593a1fbe7167df59f5bb6993fd474252f67b9f0",
"image.name": "ghcr.io/kamilkisiela/graphql-hive/emails:3c2cb1d841a85e88fe85420bb2942ef27d2c2da6,ghcr.io/kamilkisiela/graphql-hive/emails:renovate_npm_ws_vulnerability"
},
"policy": {
"buildx.build.ref": "builder-2a188a89-c483-4f11-bd5d-78dc0dfbaa37/builder-2a188a89-c483-4f11-bd5d-78dc0dfbaa370/urbav7hihn00ohyjkhujib2ft",
"containerimage.descriptor": {
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"digest": "sha256:3a3b478cddb513c2b365f65725bb7ef1300cef1b6414be34ca634118c0b5f8bd",
"size": 685
},
"containerimage.digest": "sha256:3a3b478cddb513c2b365f65725bb7ef1300cef1b6414be34ca634118c0b5f8bd",
"image.name": "ghcr.io/kamilkisiela/graphql-hive/policy:3c2cb1d841a85e88fe85420bb2942ef27d2c2da6,ghcr.io/kamilkisiela/graphql-hive/policy:renovate_npm_ws_vulnerability"
},
"rate-limit": {
"buildx.build.ref": "builder-2a188a89-c483-4f11-bd5d-78dc0dfbaa37/builder-2a188a89-c483-4f11-bd5d-78dc0dfbaa370/8iesp1zusmy2sbgwn6glqzjbs",
"containerimage.descriptor": {
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"digest": "sha256:e72d60982b0e7c668cebedea812d5e9d8dd9054dd5f15f268887b56014783338",
"size": 685
},
"containerimage.digest": "sha256:e72d60982b0e7c668cebedea812d5e9d8dd9054dd5f15f268887b56014783338",
"image.name": "ghcr.io/kamilkisiela/graphql-hive/rate-limit:3c2cb1d841a85e88fe85420bb2942ef27d2c2da6,ghcr.io/kamilkisiela/graphql-hive/rate-limit:renovate_npm_ws_vulnerability"
},
"schema": {
"buildx.build.ref": "builder-2a188a89-c483-4f11-bd5d-78dc0dfbaa37/builder-2a188a89-c483-4f11-bd5d-78dc0dfbaa370/uh648x3ucsx6y6873dhxkzynw",
"containerimage.descriptor": {
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"digest": "sha256:a2143b8e3d80c9085f45aec756b1bbd7c3ba43bbf5e7140cd312aca71393e773",
"size": 685
},
"containerimage.digest": "sha256:a2143b8e3d80c9085f45aec756b1bbd7c3ba43bbf5e7140cd312aca71393e773",
"image.name": "ghcr.io/kamilkisiela/graphql-hive/schema:3c2cb1d841a85e88fe85420bb2942ef27d2c2da6,ghcr.io/kamilkisiela/graphql-hive/schema:renovate_npm_ws_vulnerability"
},
"server": {
"buildx.build.ref": "builder-2a188a89-c483-4f11-bd5d-78dc0dfbaa37/builder-2a188a89-c483-4f11-bd5d-78dc0dfbaa370/9afl5yleexgb7mchri2ta1d74",
"containerimage.descriptor": {
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"digest": "sha256:76ea59ce96d06a4e4eabdad9c9fa212431eef9b008b37ac8b5f4aa9d25ec1731",
"size": 685
},
"containerimage.digest": "sha256:76ea59ce96d06a4e4eabdad9c9fa212431eef9b008b37ac8b5f4aa9d25ec1731",
"image.name": "ghcr.io/kamilkisiela/graphql-hive/server:3c2cb1d841a85e88fe85420bb2942ef27d2c2da6,ghcr.io/kamilkisiela/graphql-hive/server:renovate_npm_ws_vulnerability"
},
"storage": {
"buildx.build.ref": "builder-2a188a89-c483-4f11-bd5d-78dc0dfbaa37/builder-2a188a89-c483-4f11-bd5d-78dc0dfbaa370/o9davf6x5qpytyqnsua6ycp7g",
"containerimage.descriptor": {
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"digest": "sha256:d6c7daf9a1aa8d425beb1b348c420a70c8f229e8d4b5ea8fcff1dff58be040ef",
"size": 685
},
"containerimage.digest": "sha256:d6c7daf9a1aa8d425beb1b348c420a70c8f229e8d4b5ea8fcff1dff58be040ef",
"image.name": "ghcr.io/kamilkisiela/graphql-hive/storage:3c2cb1d841a85e88fe85420bb2942ef27d2c2da6,ghcr.io/kamilkisiela/graphql-hive/storage:renovate_npm_ws_vulnerability"
},
"stripe-billing": {
"buildx.build.ref": "builder-2a188a89-c483-4f11-bd5d-78dc0dfbaa37/builder-2a188a89-c483-4f11-bd5d-78dc0dfbaa370/j036b7fqy4ktqdjiyg4dhf7f1",
"containerimage.descriptor": {
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"digest": "sha256:ebb931eb5bd696d9e803b213c88d502a8cd47c91160284c2c9f0df990551693f",
"size": 685
},
"containerimage.digest": "sha256:ebb931eb5bd696d9e803b213c88d502a8cd47c91160284c2c9f0df990551693f",
"image.name": "ghcr.io/kamilkisiela/graphql-hive/stripe-billing:3c2cb1d841a85e88fe85420bb2942ef27d2c2da6,ghcr.io/kamilkisiela/graphql-hive/stripe-billing:renovate_npm_ws_vulnerability"
},
"tokens": {
"buildx.build.ref": "builder-2a188a89-c483-4f11-bd5d-78dc0dfbaa37/builder-2a188a89-c483-4f11-bd5d-78dc0dfbaa370/zp4p2twthdirj3s4hbweqsqjx",
"containerimage.descriptor": {
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"digest": "sha256:81018e337b0686f0082bc4159f509d768a616cde66ee5437ee6e7ca83088982f",
"size": 685
},
"containerimage.digest": "sha256:81018e337b0686f0082bc4159f509d768a616cde66ee5437ee6e7ca83088982f",
"image.name": "ghcr.io/kamilkisiela/graphql-hive/tokens:3c2cb1d841a85e88fe85420bb2942ef27d2c2da6,ghcr.io/kamilkisiela/graphql-hive/tokens:renovate_npm_ws_vulnerability"
},
"usage": {
"buildx.build.ref": "builder-2a188a89-c483-4f11-bd5d-78dc0dfbaa37/builder-2a188a89-c483-4f11-bd5d-78dc0dfbaa370/cvluw2i6b5ik6njwty0dstlbk",
"containerimage.descriptor": {
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"digest": "sha256:8efc729103b4436362113be3f9ce63e31cf788b557e660d016437d7c2c46532a",
"size": 685
},
"containerimage.digest": "sha256:8efc729103b4436362113be3f9ce63e31cf788b557e660d016437d7c2c46532a",
"image.name": "ghcr.io/kamilkisiela/graphql-hive/usage:3c2cb1d841a85e88fe85420bb2942ef27d2c2da6,ghcr.io/kamilkisiela/graphql-hive/usage:renovate_npm_ws_vulnerability"
},
"usage-estimator": {
"buildx.build.ref": "builder-2a188a89-c483-4f11-bd5d-78dc0dfbaa37/builder-2a188a89-c483-4f11-bd5d-78dc0dfbaa370/f2byix5y6y9j06yf47h5n2do2",
"containerimage.descriptor": {
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"digest": "sha256:ac634ded4310e8a021080a0573dfbcc2bcff7c0052e5eed21a0b3c1e0f08c676",
"size": 685
},
"containerimage.digest": "sha256:ac634ded4310e8a021080a0573dfbcc2bcff7c0052e5eed21a0b3c1e0f08c676",
"image.name": "ghcr.io/kamilkisiela/graphql-hive/usage-estimator:3c2cb1d841a85e88fe85420bb2942ef27d2c2da6,ghcr.io/kamilkisiela/graphql-hive/usage-estimator:renovate_npm_ws_vulnerability"
},
"usage-ingestor": {
"buildx.build.ref": "builder-2a188a89-c483-4f11-bd5d-78dc0dfbaa37/builder-2a188a89-c483-4f11-bd5d-78dc0dfbaa370/5bfumz8w24ile8jt2gpvpi7c6",
"containerimage.descriptor": {
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"digest": "sha256:48b94b1c9dbd0ef9c340a828347159bcefe08bc699b294af33605d31dad75aed",
"size": 685
},
"containerimage.digest": "sha256:48b94b1c9dbd0ef9c340a828347159bcefe08bc699b294af33605d31dad75aed",
"image.name": "ghcr.io/kamilkisiela/graphql-hive/usage-ingestor:3c2cb1d841a85e88fe85420bb2942ef27d2c2da6,ghcr.io/kamilkisiela/graphql-hive/usage-ingestor:renovate_npm_ws_vulnerability"
},
"webhooks": {
"buildx.build.ref": "builder-2a188a89-c483-4f11-bd5d-78dc0dfbaa37/builder-2a188a89-c483-4f11-bd5d-78dc0dfbaa370/miyb57t6vh5qknylx2et34j4o",
"containerimage.descriptor": {
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"digest": "sha256:7b70bee5f32b6b53682fcbc231c1e3ca3cecae22a82974feec0f3ac8174071d5",
"size": 685
},
"containerimage.digest": "sha256:7b70bee5f32b6b53682fcbc231c1e3ca3cecae22a82974feec0f3ac8174071d5",
"image.name": "ghcr.io/kamilkisiela/graphql-hive/webhooks:3c2cb1d841a85e88fe85420bb2942ef27d2c2da6,ghcr.io/kamilkisiela/graphql-hive/webhooks:renovate_npm_ws_vulnerability"
}
} |
This PR contains the following updates:
8.17.0
->8.17.1
GitHub Vulnerability Alerts
CVE-2024-37890
Impact
A request with a number of headers exceeding the
server.maxHeadersCount
threshold could be used to crash a ws server.Proof of concept
Patches
The vulnerability was fixed in [email protected] (websockets/ws@e55e510) and backported to [email protected] (websockets/ws@22c2876), [email protected] (websockets/ws@eeb76d3), and [email protected] (websockets/ws@4abd8f6)
Workarounds
In vulnerable versions of ws, the issue can be mitigated in the following ways:
--max-http-header-size=size
and/or themaxHeaderSize
options so that no more headers than theserver.maxHeadersCount
limit can be sent.server.maxHeadersCount
to0
so that no limit is applied.Credits
The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.
References
Release Notes
websockets/ws (ws)
v8.17.1
Compare Source
Bug fixes
A request with a number of headers exceeding the[
server.maxHeadersCount
][server.maxHeadersCount]threshold could be used to crash a ws server.
The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.
In vulnerable versions of ws, the issue can be mitigated in the following ways:
[
--max-http-header-size=size
][--max-http-header-size=size] and/or the [maxHeaderSize
][maxHeaderSize] options sothat no more headers than the
server.maxHeadersCount
limit can be sent.server.maxHeadersCount
to0
so that no limit is applied.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.