chore(deps)(deps): bump ws from 8.20.0 to 8.21.0

[dependabot]

Bumps ws from 8.20.0 to 8.21.0.

Release notes

Sourced from ws's releases.

8.21.0

Features

• Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

• Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

8.20.1

... (truncated)

Commits

• bca91ad [dist] 8.21.0
• 2b2abd4 [security] Limit retained message parts
• 78eabe2 [security] Add latest vulnerability to SECURITY.md
• 5d9b316 [dist] 8.20.1
• c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
• ce2a3d6 [ci] Test on node 26
• 58e45b8 [ci] Do not test on node 25
• 5f26c24 [ci] Run the lint step on node 24
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/ws	8.21.0	🟢 5.5	Details Check Score Reason Code-Review ⚠️ 0 Found 1/29 approved changesets -- score normalized to 0 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 13 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• package-lock.json

[github-actions]

📊 Test Coverage Report

Metric	Coverage	CI Gate	Target
Lines	✅ 86.4% (11426/13228)	75%	80%
Statements	✅ 86.4% (11426/13228)	75%	80%
Branches	✅ 80.4% (1382/1719)	70%	80%
Functions	🟡 78.3% (257/328)	—	80%

🟡 CI gate passed — coverage below 80% target

Files below 80% coverage

File	Lines	Functions	Branches
src/middlewares/guardrail/GuardrailInterceptorHook.ts	76.6%	100.0%	73.0%
src/middlewares/guardrail/GuardrailMiddleware.ts	75.6%	66.7%	68.2%
src/middlewares/guardrail/GuardrailScanner.ts	93.4%	100.0%	64.3%
src/middlewares/guardrail/GuardrailWriteScannerHook.ts	71.0%	100.0%	78.2%
src/middlewares/guardrail/ModerationGuardHook.ts	74.8%	100.0%	58.8%
src/middlewares/guardrail/guards/canary-tracker.ts	98.0%	80.0%	66.7%
src/middlewares/guardrail/guards/content-moderation.ts	78.4%	100.0%	90.6%
src/middlewares/guardrail/guards/sensitive-paths.ts	94.1%	100.0%	77.3%
src/middlewares/guardrail/scanners/HeuristicScanner.ts	100.0%	100.0%	75.0%
src/middlewares/guardrail/scanners/RegexScanner.ts	90.3%	100.0%	78.6%
src/middlewares/guardrail/storage/ConfigStore.ts	88.0%	71.4%	80.0%
src/middlewares/guardrail/storage/DecisionLog.ts	70.3%	40.0%	100.0%
src/middlewares/hitl/Interceptor.ts	89.8%	83.3%	75.7%
src/middlewares/hitl/index.ts	85.8%	54.5%	66.7%
src/middlewares/hitl/script-content-loader.ts	47.8%	0.0%	100.0%
src/middlewares/hitl/tool-interceptor.ts	89.5%	100.0%	70.9%
src/middlewares/hitl/approval/ApprovalQueue.ts	79.7%	81.3%	78.6%
src/middlewares/hitl/approval/Arbitrator.ts	36.1%	25.0%	91.7%
src/middlewares/hitl/approval/TotpManager.ts	93.9%	87.5%	71.4%
src/middlewares/hitl/approval/approval-commands.ts	84.8%	100.0%	72.7%
src/middlewares/hitl/scoring/IrreversibilityScorer.ts	95.6%	100.0%	75.0%
src/middlewares/hitl/storage/BrowserSessionStore.ts	94.7%	100.0%	72.5%
src/middlewares/hitl/storage/DecisionLog.ts	70.6%	25.0%	100.0%
src/middlewares/hitl/storage/PolicyStore.ts	89.4%	85.7%	64.3%
src/middlewares/hitl/storage/StatsTracker.ts	91.2%	71.4%	80.0%
src/middlewares/pii-sanitizer/PiiSanitizerMiddleware.ts	75.7%	58.3%	74.2%
src/middlewares/pii-sanitizer/PolicyEngine.ts	96.6%	100.0%	70.6%
src/middlewares/pii-sanitizer/ScannerEngine.ts	70.0%	85.7%	87.5%
src/middlewares/pii-sanitizer/storage/DlpStore.ts	70.6%	18.2%	100.0%
src/middlewares/tool-call-limit/ToolCallLimitMiddleware.ts	86.8%	72.2%	86.4%
src/middlewares/tool-call-limit/storage/LimitPolicyStore.ts	74.6%	50.0%	75.0%

---

Generated by CI on commit 2c8f837