Skip to content

chore(deps): update dependency ws to v8.20.1#344

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/ws-8.x-lockfile
Open

chore(deps): update dependency ws to v8.20.1#344
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/ws-8.x-lockfile

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 20, 2026

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
ws 8.19.08.20.1 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

Release Notes

websockets/ws (ws)

v8.20.1

Compare Source

Bug fixes

  • Fixed an uninitialized memory disclosure issue in websocket.close()
    (c0327ec).

Providing a TypedArray (e.g. Float32Array) as the reason argument for
websocket.close(), rather than the supported string or Buffer types, caused
uninitialized memory to be disclosed to the remote peer.

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';

const wss = new WebSocketServer(
  { port: 0, skipUTF8Validation: true },
  function () {
    const { port } = wss.address();
    const ws = new WebSocket(`ws://localhost:${port}`, {
      skipUTF8Validation: true
    });

    ws.on('close', function (code, reason) {
      deepStrictEqual(reason, Buffer.alloc(80));
    });
  }
);

wss.on('connection', function (ws) {
  ws.close(1000, new Float32Array(20));
});

The issue was privately reported by Nikita Skovoroda.

v8.20.0

Compare Source

Features

  • Added exports for the PerMessageDeflate class and utilities for the
    Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1).

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@fasterthanlime fasterthanlime mentioned this pull request May 21, 2026
Merged
fasterthanlime added a commit that referenced this pull request May 21, 2026
@fasterthanlime
chore(deps): mega-bump — consolidate open renovate PRs (#355)
f033b08 
Consolidates the 10 open `chore(deps)` renovate PRs (#344#345,
#347#354) into a single change so the shared lockfiles only churn once.

## Bumps

| Dep | From → To | Renovate PR |
|---|---|---|
| typescript | 5.8 → 6.0 | #354 |
| pnpm (CI `action-setup`) | 10 → 11 | #353 |
| orval (`setup-trusted-publishing`) | 7 → 8 | #352 |
| @vitest/coverage-v8 (`vox-postcard`) | 2 → 4 | #351 |
| @types/node | 22 → 25 | #350 |
| actions/upload-pages-artifact | v3 → v5 | #349 |
| actions/deploy-pages | v4 → v5 | #348 |
| dprint-plugin-typescript | 0.95 → 0.96 | #347 |
| afl (`fuzz/vox-afl`) | 0.17 → 0.18 | #345 |
| ws | → 8.20.1 (lockfile) | #344 |

`pnpm-lock.yaml`, `Cargo.lock` and `fuzz/vox-afl/Cargo.lock` were
regenerated from the manifest changes.

## Extra changes needed to keep things coherent

- **vitest 2 → 4** (`vox-core`, `vox-inprocess`, `vox-postcard`,
`vox-wire`, `vox-ws`). `@vitest/coverage-v8` v4 requires `vitest` v4 as
a peer — bumping coverage-v8 alone (PR #351) leaves coverage broken
(`BaseCoverageProvider` export moved). CI never caught it because the
`test` scripts run `vitest run` without `--coverage`.
- **`pnpm-workspace.yaml` `allowBuilds.esbuild: false`**. pnpm 11 turns
ignored build scripts into a hard error. esbuild ships prebuilt platform
binaries and does not need its install script (this matches the pnpm-10
behaviour on `main`).
- **`vox-postcard` / `vox-wire`**: declare `@types/node` and set
`compilerOptions.types: ["node"]`. vitest 4 disrupts TypeScript's
automatic `@types/node` discovery, which these packages' test files
(`node:` builtin imports) rely on.

## Verification

- `pnpm -r run check` (tsgo), `check:ts-boundaries`, `pnpm run build`,
`pnpm run lint` — pass
- `vitest run` across all test packages, plus `vitest run --coverage` in
`vox-postcard` — pass
- `cargo check --workspace --all-targets` — passes (covers the
dprint-plugin-typescript bump)

## Not addressed

- `fuzz/vox-afl` has pre-existing compile errors in its bins from vox
API drift (`SelfRef`, etc.) — unrelated to the afl bump and not built in
CI. Only the lockfile/manifest were touched.
- `tools/setup-trusted-publishing` is a standalone, non-CI tool — only
its `package.json` was bumped (its `orval.config.ts` reads an OpenAPI
spec from a path outside this repo, so `generated/` was not
regenerated). This matches what renovate #352/#354 did.
@renovate renovate Bot force-pushed the renovate/ws-8.x-lockfile branch from 36b714d to d138c18 Compare May 21, 2026 09:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants